CVE-2023-2418 - OpenCVE

A vulnerability was found in Konga 2.8.3 on Kong. It has been classified as problematic. This affects an unknown part of the component Login API. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The associated identifier of this vulnerability is VDB-227715.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:A/AC:H/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Konghq	Kong

Configuration 1 [-]

cpe:2.3:a:konghq:kong:2.8.3:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/advisories/GHSA-9g4c-xm3g-f8hq	Third Party Advisory
https://vuldb.com/?ctiid.227715	Permissions Required
https://vuldb.com/?id.227715	Permissions Required
https://www.cnblogs.com/andao/p/17330864.html	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulDB

Published: 2023-04-29T00:31:04.842Z

Updated: 2024-02-13T07:22:36.018Z

Reserved: 2023-04-28T16:52:40.949Z

Link: CVE-2023-2418

JSON object: View

NVD Information

Status : Modified

Published: 2023-04-29T01:15:08.980

Modified: 2024-05-17T02:22:58.070

Link: CVE-2023-2418

JSON object: View

Redhat Information

No data.

CWE

CWE-330

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-2418", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-04-28T16:52:40.949Z", "datePublished": "2023-04-29T00:31:04.842Z", "dateUpdated": "2024-02-13T07:22:36.018Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-02-13T07:22:36.018Z"}, "title": "Konga Login API random values", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-330", "lang": "en", "description": "CWE-330 Insufficiently Random Values"}]}], "affected": [{"vendor": "n/a", "product": "Konga", "versions": [{"version": "2.8.3", "status": "affected"}], "modules": ["Login API"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Konga 2.8.3 on Kong. It has been classified as problematic. This affects an unknown part of the component Login API. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The associated identifier of this vulnerability is VDB-227715."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in Konga 2.8.3 f\u00fcr Kong ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Komponente Login API. Durch Manipulation mit unbekannten Daten kann eine insufficiently random values-Schwachstelle ausgenutzt werden. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Als bestm\u00f6gliche Massnahme werden Anpassungen an der Konfiguration empfohlen."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.8, "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N"}}], "timeline": [{"time": "2023-04-28T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2023-04-28T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2023-04-28T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2023-05-24T08:37:31.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "the_whovian (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.227715", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.227715", "tags": ["signature", "permissions-required"]}, {"url": "https://www.cnblogs.com/andao/p/17330864.html", "tags": ["broken-link", "exploit"]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:konghq:kong:2.8.3:*:*:*:*:*:*:*", "matchCriteriaId": "617BECC9-676B-496E-9BE5-61DE5555543B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Konga 2.8.3 on Kong. It has been classified as problematic. This affects an unknown part of the component Login API. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The associated identifier of this vulnerability is VDB-227715."}], "id": "CVE-2023-2418", "lastModified": "2024-05-17T02:22:58.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.2, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2023-04-29T01:15:08.980", "references": [{"source": "nvd@nist.gov", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-9g4c-xm3g-f8hq"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required"], "url": "https://vuldb.com/?ctiid.227715"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required"], "url": "https://vuldb.com/?id.227715"}, {"source": "cna@vuldb.com", "tags": ["Broken Link"], "url": "https://www.cnblogs.com/andao/p/17330864.html"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "cna@vuldb.com", "type": "Primary"}]}