Headline
CVE-2023-23562: SES Evolution server access check bypass (CVE-2023-23562)
Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control that allows an authenticated user can update global parameters.
Advisory ID
CVE Number
Date discovered
Severity
Advisory revision
STORM-2023-002
CVE-2023-23562
01/10/2023
low
v1
Vulnerability details
An unspecified vulnerability in SES Evolution could allow an authenticated user to update global parameters.
Impacted products
Products
Severity
Detail
Stormshield Endpoint Security
low
SES is impacted
Revisions
Version
Date
Description
v1
05/25/2023
Initial release
Stormshield Endpoint Security
**CVSS v3.1 Overall Score: 3.9 **
Analysis
Impacted version
An authenticated SES user (of any applicative profile) could leverage a local installation of the console to modify global parameters that he should not, potentially impacting the application availability.
- SES 2.3.0 to 2.3.2
Workaround solution
Solution
There is no workaround solution.
The 2.4.1 update fixes this vulnerability.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability impact
Adjacent Network
Low
Low
None
Unchanged
High
None
Low
CVSS Base score: 6.3
CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Exploit Code Maturity
Remediation Level
Report Confidence
Unproven that exploit exists
Official fix
Confirmed
CVSS Temporal score: 5.5
CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C)
Confidentiality Requirement
Integrity Requirement
Availability Requirement
Low
Low
Low
CVSS Environmental score: 3.9
CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)