CVE-2023-22949

An issue was discovered in TigerGraph Enterprise Free Edition 3.x. There is logging of user credentials. All authenticated GSQL access requests are logged by TigerGraph in multiple places. Each request includes both the username and password of the user in an easily decodable base64 form. That could allow a TigerGraph administrator to effectively harvest usernames/passwords.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://dev.tigergraph.com/forum/c/tg-community/announcements/35	Product
https://neo4j.com/security/cve-2023-22949/	Exploit Third Party Advisory
https://dev.tigergraph.com/forum/c/tg-community/announcements/35	Product
https://neo4j.com/security/cve-2023-22949/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tigergraph:cloud:-:::::::*
	cpe:2.3:a:tigergraph:tigergraph_enterprise:3.7.0::::free:-::*
	cpe:2.3:a:tigergraph:tigergraph_enterprise:3.7.0::::free:docker::*

History

21 Nov 2024, 07:45

Type	Values Removed	Values Added
References	~~() https://dev.tigergraph.com/forum/c/tg-community/announcements/35 - Product~~	() https://dev.tigergraph.com/forum/c/tg-community/announcements/35 - Product
References	~~() https://neo4j.com/security/cve-2023-22949/ - Exploit, Third Party Advisory~~	() https://neo4j.com/security/cve-2023-22949/ - Exploit, Third Party Advisory

Information

Published : 2023-04-14 14:15

Updated : 2024-11-21 07:45

NVD link : CVE-2023-22949

Mitre link : CVE-2023-22949

CVE.ORG link : CVE-2023-22949

JSON object : View

Products Affected

tigergraph

tigergraph_enterprise
cloud

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2023-22949", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2023-04-14T14:15:10.723", "references": [{"url": "https://dev.tigergraph.com/forum/c/tg-community/announcements/35", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://neo4j.com/security/cve-2023-22949/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://dev.tigergraph.com/forum/c/tg-community/announcements/35", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://neo4j.com/security/cve-2023-22949/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in TigerGraph Enterprise Free Edition 3.x. There is logging of user credentials. All authenticated GSQL access requests are logged by TigerGraph in multiple places. Each request includes both the username and password of the user in an easily decodable base64 form. That could allow a TigerGraph administrator to effectively harvest usernames/passwords."}], "lastModified": "2024-11-21T07:45:42.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tigergraph:cloud:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51757E82-0551-48EB-9F73-7141B03D6D87"}, {"criteria": "cpe:2.3:a:tigergraph:tigergraph_enterprise:3.7.0:*:*:*:free:-:*:*", "vulnerable": true, "matchCriteriaId": "E4FF3A96-AA5F-4DA6-BBE9-37C5A1C11279"}, {"criteria": "cpe:2.3:a:tigergraph:tigergraph_enterprise:3.7.0:*:*:*:free:docker:*:*", "vulnerable": true, "matchCriteriaId": "35459185-6569-4F54-B338-0355DF5ECC50"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}