NN-2023:17-01
Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1
Last update: 2024-09-19
| Advisory ID | NN-2023:17-01 |
|---|---|
| Topic | Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1 |
| CWE Impact | CWE-201: Insertion of Sensitive Information Into Sent Data |
| Issue date | 2024-04-10 |
| Affects | Guardian, CMC < v23.4.1 |
| CVE Name(s) | CVE-2023-6916 |
| CVSS Details | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVSS Score | 7.5 (CVSS v4.0) 7.2 (CVSS v3.1) |
| CVE Risk Level | High (CVSS v4.0) High (CVSS v3.1) |
| Risk Level for Nozomi customers | High |
Summary
Audit records for OpenAPI requests may include sensitive information.
Impact
Unauthorized access, privilege escalation.
Affected Products
Guardian, CMC < v23.4.1
Workarounds and Mitigations
Nozomi Networks recommends creating specific users for OpenAPI usage, with only the necessary permissions to access the required data sources. Additionally, it is advised to limit API keys to allowed IP addresses whenever possible. Finally, it is also suggested to regenerate existing API keys periodically and to review sign-ins via API keys in the audit records.
Solutions
Upgrade to v23.4.1 or later.
Modification History
2024-04-10: Initial revision
2024-04-10: updated the acknowledgements section
2024-04-11: technical update
2024-05-20: Added CVSS v4.0 scoring where applicable
2024-09-19: Revised CWE mapping
Related Links
Acknowledgements
We thank the following parties for their efforts:
- Maciej Kosz for reporting this issue
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.