CVE-2023-42455
Summary
| CVE | CVE-2023-42455 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-09 17:15:00 UTC |
| Updated | 2023-10-13 16:26:00 UTC |
| Description | Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds. |
Risk And Classification
Problem Types: CWE-639
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Wazuh | Wazuh-dashboard | All | All | All | All |
| Application | Wazuh | Wazuh-kibana-app | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Enhance the getConfiguration backend service by Desvelao · Pull Request #5428 · wazuh/wazuh-dashboard-plugins · GitHub | MISC | github.com | |
| User privilege escalation · Advisory · wazuh/wazuh-dashboard-plugins · GitHub | MISC | github.com | |
| Enhance the `getConfiguration` backend service · Issue #5427 · wazuh/wazuh-dashboard-plugins · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.