CVE-2023-6368

In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023	Vendor Advisory
https://www.progress.com/network-monitoring	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*

History

19 Dec 2023, 17:48

Type	Values Removed	Values Added
CWE		CWE-306
CVSS	v2 : ~~unknown~~ v3 : ~~5.9~~	v2 : unknown v3 : 5.3
References	~~() https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 -~~	() https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 - Vendor Advisory
References	~~() https://www.progress.com/network-monitoring -~~	() https://www.progress.com/network-monitoring - Product
Summary		(es) En las versiones de WhatsUp Gold lanzadas antes de 2023.1, se descubrió que a un endpoint de API le faltaba un mecanismo de autenticación. Es posible que un atacante no autenticado enumere información relacionada con un dispositivo registrado que está siendo monitorizado por WhatsUp Gold.
First Time		Progress Progress whatsup Gold
CPE		cpe:2.3:a:progress:whatsup_gold::::::::

14 Dec 2023, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-14 16:15

Updated : 2023-12-19 17:48

NVD link : CVE-2023-6368

Mitre link : CVE-2023-6368

CVE.ORG link : CVE-2023-6368

JSON object : View

Products Affected

progress

whatsup_gold

CWE

CWE-306

Missing Authentication for Critical Function

CWE-862

Missing Authorization

{"id": "CVE-2023-6368", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2023-12-14T16:15:54.103", "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023", "tags": ["Vendor Advisory"], "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "tags": ["Product"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "\nIn WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold.\n\n"}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2023.1, se descubri\u00f3 que a un endpoint de API le faltaba un mecanismo de autenticaci\u00f3n. Es posible que un atacante no autenticado enumere informaci\u00f3n relacionada con un dispositivo registrado que est\u00e1 siendo monitorizado por WhatsUp Gold."}], "lastModified": "2023-12-19T17:48:19.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D27D3E3-A9E8-493A-8D4A-51ED537ABC7D", "versionEndExcluding": "23.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}