CVE-2023-30607

EPSS 0.11%
Veröffentlicht 05.07.2023 18:15:10
Zuletzt bearbeitet 21.11.2024 08:00:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

icingaweb2-module-jira provides integration with Atlassian Jira. Starting in version 1.3.0 and prior to version 1.3.2, template and field configuration forms perform the deletion action before user input is validated, including the cross site request forgery token. This issue is fixed in version 1.3.2. There are no known workarounds.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Icinga ≫ Icinga Web Jira Integration Version >= 1.3.0 < 1.3.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.305

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	5	1.6	3.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://github.com/Icinga/icingaweb2-module-jira/commit/7f0c53b7a3e87be2f4c2e8840805d7b7c9762424

Patch

https://github.com/Icinga/icingaweb2-module-jira/releases/tag/v1.3.2

Release Notes

https://github.com/Icinga/icingaweb2-module-jira/security/advisories/GHSA-gh7w-7f7j-gwp5

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-30607

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-30607

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-30607

EUVD