Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1

Last update: 2024-05-20

Advisory IDNN-2023:17-01
TopicInformation disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1
CWE ImpactCWE-522: Insufficiently Protected Credentials
Issue date2024-04-10
AffectsGuardian, CMC < v23.4.1
CVE Name(s)CVE-2023-6916
CVSS Score7.5 (CVSS v4.0)
7.2 (CVSS v3.1)
CVE Risk LevelHigh (CVSS v4.0)
High (CVSS v3.1)
Risk Level for Nozomi customersHigh


Audit records for OpenAPI requests may include sensitive information.


Unauthorized access, privilege escalation.

Affected Products

Guardian, CMC < v23.4.1

Workarounds and Mitigations

Nozomi Networks recommends creating specific users for OpenAPI usage, with only the necessary permissions to access the required data sources. Additionally, it is advised to limit API keys to allowed IP addresses whenever possible. Finally, it is also suggested to regenerate existing API keys periodically and to review sign-ins via API keys in the audit records.


Upgrade to v23.4.1 or later.

Modification History

2024-04-10: Initial revision
2024-04-10: updated the acknowledgements section
2024-04-11: technical update
2024-05-20: Added CVSS v4.0 scoring where applicable

Related Links


We thank the following parties for their efforts:

  • Maciej Kosz for reporting this issue


Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.