CVE-2023-32315
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console reserved for administrative users.
CISA KEV
- Vendor
- Ignite Realtime
- Product
- Openfire
- Due date
- 2023-09-14
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://www.igniterealtime.org/downloads/#openfire; https://nvd.nist.gov/vuln/detail/CVE-2023-32315
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.igniterealtime.openfire:xmppserver | >=3.10.0,<4.6.8 | 4.6.8 |
| Maven | org.igniterealtime.openfire:xmppserver | >=4.7.0,<4.7.5 | 4.7.5 |
References
- https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm
- https://nvd.nist.gov/vuln/detail/CVE-2023-32315
- https://github.com/igniterealtime/Openfire/commit/2ac00a1ff42f5d3547ef58e21f8cdec992bfcf97
- https://github.com/igniterealtime/Openfire/commit/71f3def2adeaac62729cf544b645c6819c3d9868
- https://github.com/igniterealtime/Openfire/commit/a3b5ebd5032ff7be9d3ada5bf52bea2df96ec881
- https://github.com/igniterealtime/Openfire
- https://github.com/igniterealtime/Openfire/releases/tag/v4.6.8
- https://github.com/igniterealtime/Openfire/releases/tag/v4.7.5
- https://igniterealtime.atlassian.net/browse/OF-2595
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-32315
- http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html
- https://www.igniterealtime.org/downloads/#openfire; https://nvd.nist.gov/vuln/detail/CVE-2023-32315
Verify integrity in audit chain (admin only). AS-IS.