CVE-2023-45798 - OpenCVE

In Yettiesoft VestCert versions 2.36 to 2.5.29, a vulnerability exists due to improper validation of third-party modules. This allows malicious actors to load arbitrary third-party modules, leading to remote code execution.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Yettiesoft	Vestcert

Configuration 1 [-]

cpe:2.3:a:yettiesoft:vestcert:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=71008&menuNo=205020	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: krcert

Published: 2023-10-30T06:17:14.332Z

Updated: 2023-10-30T06:17:14.332Z

Reserved: 2023-10-13T08:01:54.364Z

Link: CVE-2023-45798

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-30T07:15:12.887

Modified: 2023-11-08T02:44:41.433

Link: CVE-2023-45798

JSON object: View

Redhat Information

No data.

CWE

CWE-829

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-45798", "assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "state": "PUBLISHED", "assignerShortName": "krcert", "dateReserved": "2023-10-13T08:01:54.364Z", "datePublished": "2023-10-30T06:17:14.332Z", "dateUpdated": "2023-10-30T06:17:14.332Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "VestCert", "vendor": "Yettiesoft", "versions": [{"changes": [{"at": "2.5.30", "status": "unaffected"}], "lessThanOrEqual": "2.5.29", "status": "affected", "version": "2.3.6", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Han Myung-Wook"}, {"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Song Tae-Hyun"}, {"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Kim Joon-Seok"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Yettiesoft VestCert versions 2.36 to 2.5.29, a vulnerability exists due to improper validation of third-party modules. This allows malicious actors to load arbitrary third-party modules, leading to remote code execution."}], "value": "In Yettiesoft VestCert versions 2.36 to 2.5.29, a vulnerability exists due to improper validation of third-party modules. This allows malicious actors to load arbitrary third-party modules, leading to remote code execution."}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "shortName": "krcert", "dateUpdated": "2023-10-30T06:17:14.332Z"}, "references": [{"url": "https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=71008&menuNo=205020"}], "source": {"discovery": "UNKNOWN"}, "title": "Yettiesoft VestCert Remote Code Execution Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yettiesoft:vestcert:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D6DCAAF-2C0B-4D2B-8651-8516A8BCB32C", "versionEndExcluding": "2.5.30", "versionStartIncluding": "2.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Yettiesoft VestCert versions 2.36 to 2.5.29, a vulnerability exists due to improper validation of third-party modules. This allows malicious actors to load arbitrary third-party modules, leading to remote code execution."}, {"lang": "es", "value": "En Yettiesoft VestCert versiones 2.36 a 2.5.29, existe una vulnerabilidad debido a una validaci\u00f3n incorrecta de m\u00f3dulos de terceros. Esto permite a actores malintencionados cargar m\u00f3dulos arbitrarios de terceros, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2023-45798", "lastModified": "2023-11-08T02:44:41.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "vuln@krcert.or.kr", "type": "Secondary"}]}, "published": "2023-10-30T07:15:12.887", "references": [{"source": "vuln@krcert.or.kr", "tags": ["Third Party Advisory"], "url": "https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=71008&menuNo=205020"}], "sourceIdentifier": "vuln@krcert.or.kr", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-829"}], "source": "vuln@krcert.or.kr", "type": "Secondary"}]}