CVE-2023-30962 - Vulnerability Details - OpenCVE

The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users. This vulnerability is resolved in Cerberus 100.230704.0-27-g031dd58 .

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Palantir	Gotham Cerberus

Configuration 1 [-]

cpe:2.3:a:palantir:gotham_cerberus:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://palantir.safebase.us/?tcuUid=92dd599a-07e2-43a8-956a-9c9566794be0

History

Wed, 25 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Palantir

Published: 2023-09-12T18:29:42.065Z

Updated: 2024-09-25T15:23:04.176Z

Reserved: 2023-04-21T11:25:51.028Z

Link: CVE-2023-30962

Vulnrichment

Updated: 2024-08-02T14:45:24.249Z

NVD

Status : Modified

Published: 2023-09-12T19:15:36.237

Modified: 2024-11-21T08:01:09.747

Link: CVE-2023-30962

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30962", "assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4", "state": "PUBLISHED", "assignerShortName": "Palantir", "dateReserved": "2023-04-21T11:25:51.028Z", "datePublished": "2023-09-12T18:29:42.065Z", "dateUpdated": "2024-09-25T15:23:04.176Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4", "shortName": "Palantir", "dateUpdated": "2023-09-12T18:29:42.065Z"}, "title": "Stored XSS in cerberus attachments", "affected": [{"vendor": "Palantir", "product": "com.palantir.acme.cerberus:cerberus", "versions": [{"version": "*", "versionType": "semver", "lessThan": "100.230704.0-27-g031dd58", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users. This vulnerability is resolved in Cerberus 100.230704.0-27-g031dd58 ."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input."}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.", "lang": "en", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "baseSeverity": "MEDIUM", "baseScore": 6.8}, "format": "CVSS"}], "references": [{"url": "https://palantir.safebase.us/?tcuUid=92dd599a-07e2-43a8-956a-9c9566794be0"}], "source": {"discovery": "INTERNAL", "defect": ["PLTRSEC-2023-29"]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:24.249Z"}, "title": "CVE Program Container", "references": [{"url": "https://palantir.safebase.us/?tcuUid=92dd599a-07e2-43a8-956a-9c9566794be0", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-25T15:01:25.276014Z", "id": "CVE-2023-30962", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T15:23:04.176Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://palantir.safebase.us/?tcuUid=92dd599a-07e2-43a8-956a-9c9566794be0", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:24.249Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-30962", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-25T15:01:25.276014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T15:22:56.229Z"}}], "cna": {"title": "Stored XSS in cerberus attachments", "source": {"defect": ["PLTRSEC-2023-29"], "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"}}], "affected": [{"vendor": "Palantir", "product": "com.palantir.acme.cerberus:cerberus", "versions": [{"status": "affected", "version": "*", "lessThan": "100.230704.0-27-g031dd58", "versionType": "semver"}]}], "references": [{"url": "https://palantir.safebase.us/?tcuUid=92dd599a-07e2-43a8-956a-9c9566794be0"}], "descriptions": [{"lang": "en", "value": "The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users. This vulnerability is resolved in Cerberus 100.230704.0-27-g031dd58 ."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment."}]}], "providerMetadata": {"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4", "shortName": "Palantir", "dateUpdated": "2023-09-12T18:29:42.065Z"}}}, "cveMetadata": {"cveId": "CVE-2023-30962", "state": "PUBLISHED", "dateUpdated": "2024-09-25T15:23:04.176Z", "dateReserved": "2023-04-21T11:25:51.028Z", "assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4", "datePublished": "2023-09-12T18:29:42.065Z", "assignerShortName": "Palantir"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:palantir:gotham_cerberus:*:*:*:*:*:*:*:*", "matchCriteriaId": "A31C066B-4354-4D4D-977D-D733C544E337", "versionEndExcluding": "100.230704.0-27-g031dd58", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users. This vulnerability is resolved in Cerberus 100.230704.0-27-g031dd58 ."}, {"lang": "es", "value": "Se descubri\u00f3 que el servicio Gotham Cerberus ten\u00eda una vulnerabilidad de Cross-Site Scripting (XSS) almacenado que podr\u00eda haber permitido a un atacante con acceso a Gotham lanzar ataques contra otros usuarios. Esta vulnerabilidad se resuelve en Cerberus 100.230704.0-27-g031dd58."}], "id": "CVE-2023-30962", "lastModified": "2024-11-21T08:01:09.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "cve-coordination@palantir.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-12T19:15:36.237", "references": [{"source": "cve-coordination@palantir.com", "tags": ["Vendor Advisory"], "url": "https://palantir.safebase.us/?tcuUid=92dd599a-07e2-43a8-956a-9c9566794be0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://palantir.safebase.us/?tcuUid=92dd599a-07e2-43a8-956a-9c9566794be0"}], "sourceIdentifier": "cve-coordination@palantir.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "cve-coordination@palantir.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}