CVE-2023-3349

Information exposure vulnerability in IBERMATICA RPS 2019, which exploitation could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Service/status.html, the application enables the logging mechanism by generating the log file, which can be downloaded.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019	Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ayesa:ibermatica_rps:2019:*:*:*:*:*:*:*

History

21 Nov 2024, 08:17

Type	Values Removed	Values Added
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019 - Third Party Advisory~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 8.2

05 Oct 2023, 00:59

Type	Values Removed	Values Added
First Time		Ayesa ibermatica Rps Ayesa
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:ayesa:ibermatica_rps:2019:::::::*
References	~~(MISC) https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019 -~~	(MISC) https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019 - Third Party Advisory
CWE		CWE-532

03 Oct 2023, 14:29

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-03 14:15

Updated : 2024-11-21 08:17

NVD link : CVE-2023-3349

Mitre link : CVE-2023-3349

CVE.ORG link : CVE-2023-3349

JSON object : View

Products Affected

ayesa

ibermatica_rps

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2023-3349", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-03T14:15:10.853", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}, {"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Information exposure vulnerability in IBERMATICA RPS 2019, which exploitation could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Service/status.html, the application enables the logging mechanism by generating the log file, which can be downloaded."}, {"lang": "es", "value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n en IBERMATICA RPS 2019, cuya explotaci\u00f3n podr\u00eda permitir a un usuario no autenticado recuperar informaci\u00f3n sensible, como nombres de usuario, direcciones IP o consultas SQL enviadas a la aplicaci\u00f3n. Al acceder a la URL /RPS2019Service/status.html, la aplicaci\u00f3n habilita el mecanismo de registro generando el archivo de registro, que se puede descargar."}], "lastModified": "2024-11-21T08:17:04.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ayesa:ibermatica_rps:2019:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A27BE43-C805-4D83-A2A2-AD6ADD243568"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}