CVE-2023-32075 - Vulnerability Details - OpenCVE

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Pimcore	Customer Management Framework

Configuration 1 [-]

cpe:2.3:a:pimcore:customer_management_framework:*:*:*:*:*:pimcore:*:*

No data.

References

Link	Providers
https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch
https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9
https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj
https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/

History

Fri, 24 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-11T16:39:37.634Z

Updated: 2025-01-24T16:38:09.717Z

Reserved: 2023-05-01T16:47:35.315Z

Link: CVE-2023-32075

Vulnrichment

Updated: 2024-08-02T15:03:29.082Z

NVD

Status : Modified

Published: 2023-05-11T17:15:09.357

Modified: 2024-11-21T08:02:39.737

Link: CVE-2023-32075

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32075", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-01T16:47:35.315Z", "datePublished": "2023-05-11T16:39:37.634Z", "dateUpdated": "2025-01-24T16:38:09.717Z"}, "containers": {"cna": {"title": "Pimcore vulnerable to Business Logic Errors in Customer automation rules", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj"}, {"name": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch", "tags": ["x_refsource_MISC"], "url": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch"}, {"name": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9"}, {"name": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/", "tags": ["x_refsource_MISC"], "url": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/"}], "affected": [{"vendor": "pimcore", "product": "customer-data-framework", "versions": [{"version": "< 3.3.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-11T16:39:37.634Z"}, "descriptions": [{"lang": "en", "value": "The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually."}], "source": {"advisory": "GHSA-x99j-r8vv-gwwj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:03:29.082Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj"}, {"name": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch"}, {"name": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9"}, {"name": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-24T16:34:23.576604Z", "id": "CVE-2023-32075", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-24T16:38:09.717Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj", "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch", "name": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9", "name": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/", "name": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:03:29.082Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-32075", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-24T16:34:23.576604Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-24T16:38:02.995Z"}}], "cna": {"title": "Pimcore vulnerable to Business Logic Errors in Customer automation rules", "source": {"advisory": "GHSA-x99j-r8vv-gwwj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pimcore", "product": "customer-data-framework", "versions": [{"status": "affected", "version": "< 3.3.9"}]}], "references": [{"url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj", "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch", "name": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9", "name": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9", "tags": ["x_refsource_MISC"]}, {"url": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/", "name": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-11T16:39:37.634Z"}}}, "cveMetadata": {"cveId": "CVE-2023-32075", "state": "PUBLISHED", "dateUpdated": "2025-01-24T16:38:09.717Z", "dateReserved": "2023-05-01T16:47:35.315Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-05-11T16:39:37.634Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:customer_management_framework:*:*:*:*:*:pimcore:*:*", "matchCriteriaId": "11F1B8A1-060A-495D-81D3-46BF6E471CFB", "versionEndExcluding": "3.3.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually."}], "id": "CVE-2023-32075", "lastModified": "2024-11-21T08:02:39.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-11T17:15:09.357", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}