CVE-2023-41889

Exploit

EPSS 0.15%
Veröffentlicht 15.09.2023 21:15:11
Zuletzt bearbeitet 21.11.2024 08:21:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHIRASAGI is vulnerable to a Post-Unicode normalization issue. This happens when a logical validation or a security check is performed before a Unicode normalization. The Unicode character equivalent of a character would resurface after the normalization. The fix is initially performing the Unicode normalization and then strip for all whitespaces and then checking for a blank string. This issue has been fixed in version 1.18.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ss-proj ≫ Shirasagi Version < 1.18.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.367

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-176 Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

https://github.com/shirasagi/shirasagi/blob/f249ce3f06f6bfbc0017b38f5c13de424334c3ea/app/models/concerns/rdf/object.rb#L68-L72

Product

https://github.com/shirasagi/shirasagi/security/advisories/GHSA-xr45-c2jv-2v9r

Vendor Advisory

Exploit

Mitigation

https://sim4n6.beehiiv.com/p/unicode-characters-bypass-security-checks

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-41889