Headline
CVE-2023-23561: SES Evolution server access check bypass (CVE-2023-23561)
Stormshield Endpoint Security 2.3.0 through 2.3.2 has Incorrect Access Control: authenticated users can read sensitive information.
Advisory ID
CVE Number
Date discovered
Severity
Advisory revision
STORM-2023-001
CVE-2023-23561
01/10/2023
low
v1
Vulnerability details
An unspecified vulnerability in SES Evolution could allow an authenticated user to have read access to some sensitive information.
Impacted products
Products
Severity
Detail
Stormshield Endpoint Security
low
SES is impacted
Revisions
Version
Date
Description
v1
05/25/2023
Initial release
Stormshield Endpoint Security
**CVSS v3.1 Overall Score: 3.4 **
Analysis
Impacted version
An authenticated SES user (of any applicative profile) could leverage a local installation of the console to read internal parameters that should not be accessible.
- SES 2.3.0 to 2.3.2
Workaround solution
Solution
There is no workaround solution.
The 2.4.1 update fixes this vulnerability.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability impact
Adjacent Network
Low
Low
None
Unchanged
High
None
None
CVSS Base score: 5.7
CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Exploit Code Maturity
Remediation Level
Report Confidence
Unproven that exploit exists
Official fix
Confirmed
CVSS Temporal score: 5
CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Confidentiality Requirement
Integrity Requirement
Availability Requirement
Low
Low
Low
CVSS Environmental score: 3.4
CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)