8.8

CVE-2023-37268

EPSS 0.22%
Veröffentlicht 14.07.2023 22:15:09
Zuletzt bearbeitet 21.11.2024 08:11:21
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

User login confusion with SSO in warpgate

Warpgate is an SSH, HTTPS and MySQL bastion host for Linux that doesn't need special client apps. When logging in as a user with SSO enabled an attacker may authenticate as an other user. Any user account which does not have a second factor enabled could be compromised. This issue has been addressed in commit `8173f6512a` and in releases starting with version 0.7.3. Users are advised to upgrade. Users unable to upgrade should require their users to use a second factor in authentication.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Warpgate Project ≫ Warpgate Version0.7.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.446

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6.4	1.2	5.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/warp-tech/warpgate/commit/8173f6512ab6183fa5edc5c9a5f3760b8979271e

Patch

https://github.com/warp-tech/warpgate/security/advisories/GHSA-868r-97g5-r9g4

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-37268

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37268

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37268

EUVD