CVE-2023-7102

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-7102
Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/haile01/perl_spreadsheet_excel_rce_poc Third Party Advisory
https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171 Product
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md Third Party Advisory
https://metacpan.org/dist/Spreadsheet-ParseExcel Product
https://www.barracuda.com/company/legal/esg-vulnerability Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2023-7101 Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:barracuda:email_security_gateway_300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_300:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:barracuda:email_security_gateway_400_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_400:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:barracuda:email_security_gateway_600_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_600:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:barracuda:email_security_gateway_800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_800:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:barracuda:email_security_gateway_900_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_900:-:*:*:*:*:*:*:*
History

09 Jan 2024, 20:07

Type Values Removed Values Added
References () https://github.com/haile01/perl_spreadsheet_excel_rce_poc - () https://github.com/haile01/perl_spreadsheet_excel_rce_poc - Third Party Advisory
References () https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171 - () https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171 - Product
References () https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md - () https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md - Third Party Advisory
References () https://metacpan.org/dist/Spreadsheet-ParseExcel - () https://metacpan.org/dist/Spreadsheet-ParseExcel - Product
References () https://www.barracuda.com/company/legal/esg-vulnerability - () https://www.barracuda.com/company/legal/esg-vulnerability - Vendor Advisory
References () https://www.cve.org/CVERecord?id=CVE-2023-7101 - () https://www.cve.org/CVERecord?id=CVE-2023-7101 - Third Party Advisory
CWE NVD-CWE-Other
First Time Barracuda email Security Gateway 800 Firmware
Barracuda email Security Gateway 300
Barracuda email Security Gateway 300 Firmware
Barracuda
Barracuda email Security Gateway 900
Barracuda email Security Gateway 900 Firmware
Barracuda email Security Gateway 600 Firmware
Barracuda email Security Gateway 600
Barracuda email Security Gateway 400
Barracuda email Security Gateway 400 Firmware
Barracuda email Security Gateway 800
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
Summary
  • (es) El uso de una librería de terceros produjo una vulnerabilidad en el dispositivo Barracuda ESG de Barracuda Networks Inc. que permitía la inyección de parámetros. Este problema afectó al dispositivo Barracuda ESG, desde la versión 5.1.3.001 hasta la 9.2.1.001, hasta que Barracuda eliminó la lógica vulnerable.
CPE cpe:2.3:o:barracuda:email_security_gateway_300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_900:-:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_300:-:*:*:*:*:*:*:*
cpe:2.3:o:barracuda:email_security_gateway_600_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:barracuda:email_security_gateway_900_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_800:-:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_400:-:*:*:*:*:*:*:*
cpe:2.3:o:barracuda:email_security_gateway_400_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:barracuda:email_security_gateway_800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:barracuda:email_security_gateway_600:-:*:*:*:*:*:*:*

24 Dec 2023, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-24 22:15

Updated : 2024-01-09 20:07

NVD link : CVE-2023-7102

Mitre link : CVE-2023-7102

CVE.ORG link : CVE-2023-7102

JSON object : View

Products Affected

barracuda

  • email_security_gateway_400_firmware
  • email_security_gateway_300
  • email_security_gateway_800_firmware
  • email_security_gateway_800
  • email_security_gateway_300_firmware
  • email_security_gateway_400
  • email_security_gateway_600_firmware
  • email_security_gateway_900_firmware
  • email_security_gateway_900
  • email_security_gateway_600
CWE
NVD-CWE-Other CWE-1104

Use of Unmaintained Third Party Components