CVE-2023-4589

Insufficient verification of data authenticity vulnerability in Delinea Secret Server, in its v10.9.000002 version. An attacker with an administrator account could perform software updates without proper integrity verification mechanisms. In this scenario, the update process lacks digital signatures and fails to validate the integrity of the update package, allowing the attacker to inject malicious applications during the update.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-delinea-secret-server	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:delinea:secret_server:10.9.000002:*:*:*:*:*:*:*

History

11 Sep 2023, 13:44

Type	Values Removed	Values Added
CPE		cpe:2.3:a:delinea:secret_server:10.9.000002:::::::*
First Time		Delinea Delinea secret Server
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
References	~~(MISC) https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-delinea-secret-server -~~	(MISC) https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-delinea-secret-server - Third Party Advisory
CWE		CWE-345

06 Sep 2023, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-06 12:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-4589

Mitre link : CVE-2023-4589

CVE.ORG link : CVE-2023-4589

JSON object : View

Products Affected

delinea

secret_server

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2023-4589", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2023-09-06T12:15:07.967", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-delinea-secret-server", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "Insufficient verification of data authenticity vulnerability in Delinea Secret Server, in its v10.9.000002 version. An attacker with an administrator account could perform software updates without proper integrity verification mechanisms. In this scenario, the update process lacks digital signatures and fails to validate the integrity of the update package, allowing the attacker to inject malicious applications during the update."}, {"lang": "es", "value": "Vulnerabilidad de verificaci\u00f3n insuficiente de autenticidad de datos en Delinea Secret Server, en su versi\u00f3n v10.9.000002. Un atacante con una cuenta de administrador podr\u00eda realizar actualizaciones de software sin los mecanismos adecuados de verificaci\u00f3n de integridad. En este escenario, el proceso de actualizaci\u00f3n carece de firmas digitales y no logra validar la integridad del paquete de actualizaci\u00f3n, lo que permite al atacante inyectar aplicaciones maliciosas durante la actualizaci\u00f3n.\n"}], "lastModified": "2023-09-11T13:44:47.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:delinea:secret_server:10.9.000002:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0549C65A-06F9-41D4-BF9C-D303A8BC578C"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}