Base Score

CRITICAL9.8

CVE-2023-51982

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.(https://github.com/crate/crate/issues/15231)

VectorNETWORK

Published Bycve@mitre.org

Published DateJan 30, 2024, 01:15

Affected Versions(4)

io.crate:crate(Maven)

Introduced0

Fixed5.2.11

LimitN/A

io.crate:crate(Maven)

Introduced5.3.0

Fixed5.3.8

LimitN/A

io.crate:crate(Maven)

Introduced5.4.0

Fixed5.4.7

LimitN/A

io.crate:crate(Maven)

Introduced5.5.0

Fixed5.5.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
io.crate:crate(Maven)	0	5.2.11	N/A
io.crate:crate(Maven)	5.3.0	5.3.8	N/A
io.crate:crate(Maven)	5.4.0	5.4.7	N/A
io.crate:crate(Maven)	5.5.0	5.5.2	N/A

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://github.com/crate/crate/issues/15231

Base Score

CRITICAL9.8

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH