CVE-2023-3349

Information exposure vulnerability in IBERMATICA RPS 2019, which exploitation could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Service/status.html, the application enables the logging mechanism by generating the log file, which can be downloaded.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ayesa:ibermatica_rps:2019:*:*:*:*:*:*:*

History

05 Oct 2023, 00:59

Type	Values Removed	Values Added
CWE		CWE-532
First Time		Ayesa ibermatica Rps Ayesa
References	~~(MISC) https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019 -~~	(MISC) https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:ayesa:ibermatica_rps:2019:::::::*

03 Oct 2023, 14:29

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-03 14:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-3349

Mitre link : CVE-2023-3349

CVE.ORG link : CVE-2023-3349

JSON object : View

Products Affected

ayesa

ibermatica_rps

CWE

CWE-532

Insertion of Sensitive Information into Log File

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-3349", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2023-10-03T14:15:10.853", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ibermatica-rps-2019", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Information exposure vulnerability in IBERMATICA RPS 2019, which exploitation could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Service/status.html, the application enables the logging mechanism by generating the log file, which can be downloaded."}, {"lang": "es", "value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n en IBERMATICA RPS 2019, cuya explotaci\u00f3n podr\u00eda permitir a un usuario no autenticado recuperar informaci\u00f3n sensible, como nombres de usuario, direcciones IP o consultas SQL enviadas a la aplicaci\u00f3n. Al acceder a la URL /RPS2019Service/status.html, la aplicaci\u00f3n habilita el mecanismo de registro generando el archivo de registro, que se puede descargar."}], "lastModified": "2023-10-05T00:59:13.483", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ayesa:ibermatica_rps:2019:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A27BE43-C805-4D83-A2A2-AD6ADD243568"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}