CVE-2023-50454

An issue was discovered in Zammad before 6.2.0. In several subsystems, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. This is exploitable by man-in-the-middle attackers.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://zammad.com/en/advisories/zaa-2023-04	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zammad:zammad:6.1.0:-::::::
	cpe:2.3:a:zammad:zammad:6.1.0:alpha::::::
	cpe:2.3:a:zammad:zammad:6.2.0:alpha::::::

History

13 Dec 2023, 18:04

Type	Values Removed	Values Added
First Time		Zammad zammad Zammad
CWE		CWE-295
References	~~() https://zammad.com/en/advisories/zaa-2023-04 -~~	() https://zammad.com/en/advisories/zaa-2023-04 - Vendor Advisory
CPE		cpe:2.3:a:zammad:zammad:6.1.0:alpha:::::: cpe:2.3:a:zammad:zammad:6.1.0:-:::::: cpe:2.3:a:zammad:zammad:6.2.0:alpha::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9

11 Dec 2023, 12:20

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en Zammad antes de la versión 6.2.0. En varios subsistemas, se utilizó SSL/TLS para establecer conexiones a servicios externos sin la validación adecuada del nombre de host y la autoridad certificadora. Esto es aprovechable por atacantes intermediarios.

10 Dec 2023, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-10 19:15

Updated : 2023-12-13 18:04

NVD link : CVE-2023-50454

Mitre link : CVE-2023-50454

CVE.ORG link : CVE-2023-50454

JSON object : View

Products Affected

zammad

zammad

CWE

CWE-295

Improper Certificate Validation

5.9 /10