CVE-2023-43799

Altair is a GraphQL Client. Prior to version 5.2.5, the Altair GraphQL Client Desktop Application does not sanitize external URLs before passing them to the underlying system. Moreover, Altair GraphQL Client also does not isolate the context of the renderer process. This affects versions of the software running on MacOS, Windows, and Linux. Version 5.2.5 fixes this issue.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/altair-graphql/altair/releases/tag/v5.2.5	Release Notes
https://github.com/altair-graphql/altair/security/advisories/GHSA-9m5v-vrf6-fmvm	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:altairgraphql:altair:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

10 Oct 2023, 18:52

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/altair-graphql/altair/security/advisories/GHSA-9m5v-vrf6-fmvm -~~	(MISC) https://github.com/altair-graphql/altair/security/advisories/GHSA-9m5v-vrf6-fmvm - Vendor Advisory
References	~~(MISC) https://github.com/altair-graphql/altair/releases/tag/v5.2.5 -~~	(MISC) https://github.com/altair-graphql/altair/releases/tag/v5.2.5 - Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE	~~CWE-20~~	NVD-CWE-noinfo
CPE		cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:a:altairgraphql:altair:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::*
First Time		Microsoft Linux Altairgraphql altair Linux linux Kernel Apple macos Microsoft windows Apple Altairgraphql

04 Oct 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-04 21:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-43799

Mitre link : CVE-2023-43799

CVE.ORG link : CVE-2023-43799

JSON object : View

Products Affected

altairgraphql

altair

microsoft

windows

apple

macos

linux

linux_kernel

CWE

NVD-CWE-noinfo CWE-20

Improper Input Validation

{"id": "CVE-2023-43799", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.3}]}, "published": "2023-10-04T21:15:10.127", "references": [{"url": "https://github.com/altair-graphql/altair/releases/tag/v5.2.5", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/altair-graphql/altair/security/advisories/GHSA-9m5v-vrf6-fmvm", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Altair is a GraphQL Client. Prior to version 5.2.5, the Altair GraphQL Client Desktop Application does not sanitize external URLs before passing them to the underlying system. Moreover, Altair GraphQL Client also does not isolate the context of the renderer process. This affects versions of the software running on MacOS, Windows, and Linux. Version 5.2.5 fixes this issue."}, {"lang": "es", "value": "Altair es un cliente GraphQL. Antes de la versi\u00f3n 5.2.5, la aplicaci\u00f3n de escritorio del cliente Altair GraphQL no sanitiza las URL externas antes de pasarlas al sistema subyacente. Adem\u00e1s, Altair GraphQL Client tampoco a\u00edsla el contexto del proceso de renderizado. Esto afecta a las versiones del software que se ejecutan en MacOS, Windows y Linux. La versi\u00f3n 5.2.5 soluciona este problema."}], "lastModified": "2023-10-10T18:52:02.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:altairgraphql:altair:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A1166C3-258F-4EFB-8722-953DCDE5AA1E", "versionEndExcluding": "5.2.5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security-advisories@github.com"}