CVE-2023-40053 - OpenCVE

A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Solarwinds	Serv-u

Configuration 1 [-]

OR	cpe:2.3:a:solarwinds:serv-u:15.4.0:-::::::
	cpe:2.3:a:solarwinds:serv-u:15.4.0:hotfix1::::::
	cpe:2.3:a:solarwinds:serv-u:15.4.0:hotfix2::::::

References

Link	Resource
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-4-1_release_notes.htm	Release Notes
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40053	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: SolarWinds

Published: 2023-12-06T03:23:59.651Z

Updated: 2023-12-28T17:06:54.418Z

Reserved: 2023-08-08T23:22:08.618Z

Link: CVE-2023-40053

JSON object: View

NVD Information

Status : Modified

Published: 2023-12-06T04:15:07.523

Modified: 2023-12-28T17:15:09.460

Link: CVE-2023-40053

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-40053", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "state": "PUBLISHED", "assignerShortName": "SolarWinds", "dateReserved": "2023-08-08T23:22:08.618Z", "datePublished": "2023-12-06T03:23:59.651Z", "dateUpdated": "2023-12-28T17:06:54.418Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Serv-U", "vendor": "SolarWinds", "versions": [{"status": "affected", "version": "15.4 and previous versions"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Igor Souza"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously. "}], "value": "A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously. "}], "impacts": [{"capecId": "CAPEC-500", "descriptions": [{"lang": "en", "value": "CAPEC-500 WebView Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-12-28T17:06:54.418Z"}, "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40053"}, {"url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-4-1_release_notes.htm"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nSolarWinds advises to upgrade to the latest version of Serv-U 15.4.1 once became generally available.\n\n<br>"}], "value": "\nSolarWinds advises to upgrade to the latest version of Serv-U 15.4.1 once became generally available.\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "HTML injection Vulnerability in Serv-U 15.4", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:serv-u:15.4.0:-:*:*:*:*:*:*", "matchCriteriaId": "E5D87E13-3438-4299-80B2-A7C0746DBF51", "vulnerable": true}, {"criteria": "cpe:2.3:a:solarwinds:serv-u:15.4.0:hotfix1:*:*:*:*:*:*", "matchCriteriaId": "258C9475-8149-4889-BC71-69A6D6AAD23F", "vulnerable": true}, {"criteria": "cpe:2.3:a:solarwinds:serv-u:15.4.0:hotfix2:*:*:*:*:*:*", "matchCriteriaId": "2D7FB620-2913-4972-997F-93E7BDA9C627", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously. "}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Serv-U 15.4 que permite a un actor autenticado insertar contenido en la funci\u00f3n de compartir archivos de Serv-U, que podr\u00eda usarse de manera maliciosa."}], "id": "CVE-2023-40053", "lastModified": "2023-12-28T17:15:09.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "psirt@solarwinds.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2023-12-06T04:15:07.523", "references": [{"source": "psirt@solarwinds.com", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-4-1_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40053"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@solarwinds.com", "type": "Secondary"}]}