CVE-2023-6912 - OpenCVE

Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
M-files	M-files Server

Configuration 1 [-]

cpe:2.3:a:m-files:m-files_server:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6912/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: M-Files Corporation

Published: 2023-12-20T09:35:46.232Z

Updated: 2024-01-30T15:49:09.950Z

Reserved: 2023-12-18T08:33:42.158Z

Link: CVE-2023-6912

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-20T10:15:08.703

Modified: 2023-12-28T20:21:13.940

Link: CVE-2023-6912

JSON object: View

Redhat Information

No data.

CWE

CWE-307

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6912", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2023-12-18T08:33:42.158Z", "datePublished": "2023-12-20T09:35:46.232Z", "dateUpdated": "2024-01-30T15:49:09.950Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "M-Files Server", "vendor": "M-Files Corporation", "versions": [{"lessThan": "23.12.13205.0", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "23.2 LTS SR6"}, {"status": "unaffected", "version": "23.8 LTS SR4"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.<br>"}], "value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.\n"}], "impacts": [{"capecId": "CAPEC-49", "descriptions": [{"lang": "en", "value": "CAPEC-49: Password Brute Forcing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-01-30T15:49:09.950Z"}, "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6912/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to patched version.<br>"}], "value": "Update to patched version.\n"}], "source": {"discovery": "INTERNAL"}, "title": "Brute force vulnerability in M-Files user authentication", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:m-files_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0AFFA84-5D0F-4F54-88D1-BDB1970D9369", "versionEndExcluding": "23.12.13205.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.\n"}, {"lang": "es", "value": "La falta de protecci\u00f3n contra ataques de fuerza bruta en M-Files Server antes de 23.12.13205.0 permite a un atacante realizar intentos de autenticaci\u00f3n ilimitados, lo que podr\u00eda comprometer cuentas de usuarios de M-Files espec\u00edficas al adivinar contrase\u00f1as."}], "id": "CVE-2023-6912", "lastModified": "2023-12-28T20:21:13.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@m-files.com", "type": "Secondary"}]}, "published": "2023-12-20T10:15:08.703", "references": [{"source": "security@m-files.com", "tags": ["Vendor Advisory"], "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6912/"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-307"}], "source": "security@m-files.com", "type": "Secondary"}]}