CVE-2023-3512

Relative path traversal vulnerability in Setelsa Security's ConacWin CB, in its 3.8.2.2 version and earlier, the exploitation of which could allow an attacker to perform an arbitrary download of files from the system via the "Download file" parameter.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://https://www.incibe.es/en/incibe-cert/notices/aviso/relative-path-traversal-setelsa-security-conacwin	Broken Link
https://github.com/advisories/GHSA-v6jm-v768-76h2	Third Party Advisory
https://https://www.incibe.es/en/incibe-cert/notices/aviso/relative-path-traversal-setelsa-security-conacwin	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:setelsa-security:conacwin:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:17

Type	Values Removed	Values Added
References	~~() https://https://www.incibe.es/en/incibe-cert/notices/aviso/relative-path-traversal-setelsa-security-conacwin - Broken Link~~	() https://https://www.incibe.es/en/incibe-cert/notices/aviso/relative-path-traversal-setelsa-security-conacwin - Broken Link

05 Oct 2023, 17:04

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		CWE-22
CPE		cpe:2.3:a:setelsa-security:conacwin::::::::
First Time		Setelsa-security Setelsa-security conacwin
References		(MISC) https://github.com/advisories/GHSA-v6jm-v768-76h2 - Third Party Advisory
References	~~(MISC) https://https://www.incibe.es/en/incibe-cert/notices/aviso/relative-path-traversal-setelsa-security-conacwin -~~	(MISC) https://https://www.incibe.es/en/incibe-cert/notices/aviso/relative-path-traversal-setelsa-security-conacwin - Broken Link

04 Oct 2023, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-04 11:15

Updated : 2024-11-21 08:17

NVD link : CVE-2023-3512

Mitre link : CVE-2023-3512

CVE.ORG link : CVE-2023-3512

JSON object : View

Products Affected

setelsa-security

conacwin

CWE

CWE-23

Relative Path Traversal

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2023-3512", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-04T11:15:10.363", "references": [{"url": "https://https://www.incibe.es/en/incibe-cert/notices/aviso/relative-path-traversal-setelsa-security-conacwin", "tags": ["Broken Link"], "source": "cve-coordination@incibe.es"}, {"url": "https://github.com/advisories/GHSA-v6jm-v768-76h2", "tags": ["Third Party Advisory"], "source": "nvd@nist.gov"}, {"url": "https://https://www.incibe.es/en/incibe-cert/notices/aviso/relative-path-traversal-setelsa-security-conacwin", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-23"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Relative path traversal vulnerability in Setelsa Security's ConacWin CB, in its 3.8.2.2 version and earlier, the exploitation of which could allow an attacker to perform an arbitrary download of files from the system via the \"Download file\" parameter."}, {"lang": "es", "value": "Vulnerabilidad relativa de path traversal en Setelsa Security's ConacWin CB, en su versi\u00f3n 3.8.2.2 y anteriores, cuya explotaci\u00f3n podr\u00eda permitir a un atacante realizar una descarga arbitraria de archivos del sistema a trav\u00e9s del par\u00e1metro \"Descargar archivo\"."}], "lastModified": "2024-11-21T08:17:25.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:setelsa-security:conacwin:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AECA3302-4A34-45AA-A68E-A8CDEC89526A", "versionEndIncluding": "3.8.2.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}