Headline
CVE-2023-24471: NN-2023:5-01 - Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2 - CVE-2023-24471
An access control vulnerability was found, due to the restrictions that are applied on actual assertions not being enforced in their debug functionality.
An authenticated user with reduced visibility can obtain unauthorized information via the debug functionality, obtaining data that would normally be not accessible in the Query and Assertions functions.
Summary
An access control vulnerability was found, due to the restrictions that are applied on actual assertions not being enforced in their debug functionality.
Impact
An authenticated user with reduced visibility can obtain unauthorized information via the debug functionality, obtaining data that would normally be not accessible in the Query and Assertions functions.
Affected Products
Guardian, CMC < v22.6.2
Workarounds and Mitigations
Use internal firewall features to limit access to the web management interface.
Solutions
Upgrade to v22.6.2 or later.
Modification History
2023-08-09: Initial revision
Related Links****Acknowledgements
This issue was found by Stefano Libero of Nozomi Networks Product Security team during a scheduled internal VAPT testing session.