5.3
CVE-2023-41889
- EPSS 0.58%
- Veröffentlicht 15.09.2023 21:15:11
- Zuletzt bearbeitet 21.11.2024 08:21:51
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginLate-Unicode normalization vulnerability in SHIRASAGI
SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHIRASAGI is vulnerable to a Post-Unicode normalization issue. This happens when a logical validation or a security check is performed before a Unicode normalization. The Unicode character equivalent of a character would resurface after the normalization. The fix is initially performing the Unicode normalization and then strip for all whitespaces and then checking for a blank string. This issue has been fixed in version 1.18.0.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.58% | 0.431 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-116 Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-176 Improper Handling of Unicode Encoding
The product does not properly handle when an input contains Unicode encoding.
https://github.com/shirasagi/shirasagi/blob/f249ce3f06f6bfbc0017b38f5c13de424334c3ea/app/models/concerns/rdf/object.rb#L68-L72
https://github.com/shirasagi/shirasagi/security/advisories/GHSA-xr45-c2jv-2v9r
https://sim4n6.beehiiv.com/p/unicode-characters-bypass-security-checks