CVE-2023-3406 - OpenCVE

Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
M-files	Classic Web

Configuration 1 [-]

OR	cpe:2.3:a:m-files:classic_web:::::lts:::*
	cpe:2.3:a:m-files:classic_web:::::-:::*
	cpe:2.3:a:m-files:classic_web:23.2:-:::lts:::*

References

Link	Resource
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: M-Files Corporation

Published: 2023-08-25T08:11:46.246Z

Updated: 2023-08-25T08:11:46.246Z

Reserved: 2023-06-26T13:29:10.505Z

Link: CVE-2023-3406

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-08-25T09:15:08.850

Modified: 2023-08-31T16:26:04.573

Link: CVE-2023-3406

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-3406", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2023-06-26T13:29:10.505Z", "datePublished": "2023-08-25T08:11:46.246Z", "dateUpdated": "2023-08-25T08:11:46.246Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "M-Files Web", "vendor": "M-Files", "versions": [{"lessThan": "23.6.12695.3", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "23.2.12340.14"}]}], "datePublic": "2023-08-25T07:05:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"}], "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "None publicly available"}], "value": "None publicly available"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2023-08-25T08:11:46.246Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."}], "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."}], "source": {"discovery": "INTERNAL"}, "title": "Path traversal issue in M-Files Classic Web", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:lts:*:*:*", "matchCriteriaId": "89B60851-49D1-40DA-A600-658BCC986BF6", "versionEndExcluding": "23.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:-:*:*:*", "matchCriteriaId": "CE7A65F9-84AD-47E9-8C64-3585D5855FEA", "versionEndExcluding": "23.6.12695.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:m-files:classic_web:23.2:-:*:*:lts:*:*:*", "matchCriteriaId": "4E66A68C-65E6-48E9-97DD-621B4B73D975", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"}, {"lang": "es", "value": "Un problema de path traversal en las versiones de M-Files Classic Web, el cual afecta a las versiones inferiores a 23.6.12695.3 y a las versiones de lanzamiento del servicio LTS inferiores a 23.2 LTS SR3. Esta vulnerabilidad permite a un usuario autenticado leer algunos archivos restringidos en el servidor web."}], "id": "CVE-2023-3406", "lastModified": "2023-08-31T16:26:04.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security@m-files.com", "type": "Secondary"}]}, "published": "2023-08-25T09:15:08.850", "references": [{"source": "security@m-files.com", "tags": ["Vendor Advisory"], "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@m-files.com", "type": "Secondary"}]}