CVE-2023-2946 - Vulnerability Details - OpenCVE

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Open-emr	Openemr

Configuration 1 [-]

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/openemr/openemr/commit/81832acc14207e577e76c4175967c99ae7e3d3f4
https://huntr.dev/bounties/e550f4b0-945c-4886-af7f-ee0dc30b2a08

History

Tue, 14 Jan 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2023-05-27T00:00:00

Updated: 2025-01-14T18:45:42.238Z

Reserved: 2023-05-27T00:00:00

Link: CVE-2023-2946

Vulnrichment

Updated: 2024-08-02T06:41:03.896Z

NVD

Status : Modified

Published: 2023-05-27T23:15:09.217

Modified: 2024-11-21T07:59:37.437

Link: CVE-2023-2946

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-2946", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "dateUpdated": "2025-01-14T18:45:42.238Z", "dateReserved": "2023-05-27T00:00:00", "datePublished": "2023-05-27T00:00:00"}, "containers": {"cna": {"title": "Improper Access Control in openemr/openemr", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2023-05-27T00:00:00"}, "descriptions": [{"lang": "en", "value": "Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1."}], "affected": [{"vendor": "openemr", "product": "openemr/openemr", "versions": [{"version": "unspecified", "lessThan": "7.0.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/e550f4b0-945c-4886-af7f-ee0dc30b2a08"}, {"url": "https://github.com/openemr/openemr/commit/81832acc14207e577e76c4175967c99ae7e3d3f4"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-284 Improper Access Control", "cweId": "CWE-284"}]}], "source": {"advisory": "e550f4b0-945c-4886-af7f-ee0dc30b2a08", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:41:03.896Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.dev/bounties/e550f4b0-945c-4886-af7f-ee0dc30b2a08", "tags": ["x_transferred"]}, {"url": "https://github.com/openemr/openemr/commit/81832acc14207e577e76c4175967c99ae7e3d3f4", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-14T18:45:22.206538Z", "id": "CVE-2023-2946", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-14T18:45:42.238Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.dev/bounties/e550f4b0-945c-4886-af7f-ee0dc30b2a08", "tags": ["x_transferred"]}, {"url": "https://github.com/openemr/openemr/commit/81832acc14207e577e76c4175967c99ae7e3d3f4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:41:03.896Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-2946", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-14T18:45:22.206538Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-14T18:45:27.775Z"}}], "cna": {"title": "Improper Access Control in openemr/openemr", "source": {"advisory": "e550f4b0-945c-4886-af7f-ee0dc30b2a08", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openemr", "product": "openemr/openemr", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "7.0.1", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/e550f4b0-945c-4886-af7f-ee0dc30b2a08"}, {"url": "https://github.com/openemr/openemr/commit/81832acc14207e577e76c4175967c99ae7e3d3f4"}], "descriptions": [{"lang": "en", "value": "Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2023-05-27T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2023-2946", "state": "PUBLISHED", "dateUpdated": "2025-01-14T18:45:42.238Z", "dateReserved": "2023-05-27T00:00:00", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2023-05-27T00:00:00", "assignerShortName": "@huntrdev"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "30B2EE3F-FA55-46FB-BC32-B041753826A4", "versionEndExcluding": "7.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1."}], "id": "CVE-2023-2946", "lastModified": "2024-11-21T07:59:37.437", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-27T23:15:09.217", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/81832acc14207e577e76c4175967c99ae7e3d3f4"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/e550f4b0-945c-4886-af7f-ee0dc30b2a08"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/81832acc14207e577e76c4175967c99ae7e3d3f4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/e550f4b0-945c-4886-af7f-ee0dc30b2a08"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@huntr.dev", "type": "Secondary"}]}