CVE-2023-39343 - Vulnerability Details - OpenCVE

Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Sulu	Sulu

Configuration 1 [-]

cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b
https://github.com/sulu/sulu/releases/tag/2.5.10
https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr

History

Thu, 03 Oct 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-04T00:06:29.997Z

Updated: 2024-10-03T18:21:46.144Z

Reserved: 2023-07-28T13:26:46.476Z

Link: CVE-2023-39343

Vulnrichment

Updated: 2024-08-02T18:02:06.889Z

NVD

Status : Modified

Published: 2023-08-04T01:15:10.250

Modified: 2024-11-21T08:15:11.757

Link: CVE-2023-39343

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39343", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-28T13:26:46.476Z", "datePublished": "2023-08-04T00:06:29.997Z", "dateUpdated": "2024-10-03T18:21:46.144Z"}, "containers": {"cna": {"title": "Sulu Observable Response Discrepancy on Admin Login", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr"}, {"name": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b", "tags": ["x_refsource_MISC"], "url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b"}, {"name": "https://github.com/sulu/sulu/releases/tag/2.5.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/sulu/sulu/releases/tag/2.5.10"}], "affected": [{"vendor": "sulu", "product": "sulu", "versions": [{"version": ">= 2.5.0, < 2.5.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-04T00:06:29.997Z"}, "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10. \n\n"}], "source": {"advisory": "GHSA-wmwf-49vv-p3mr", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.889Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr"}, {"name": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b"}, {"name": "https://github.com/sulu/sulu/releases/tag/2.5.10", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sulu/sulu/releases/tag/2.5.10"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T18:21:36.480062Z", "id": "CVE-2023-39343", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T18:21:46.144Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr", "name": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b", "name": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/sulu/sulu/releases/tag/2.5.10", "name": "https://github.com/sulu/sulu/releases/tag/2.5.10", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.889Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39343", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-03T18:21:36.480062Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T18:21:41.754Z"}}], "cna": {"title": "Sulu Observable Response Discrepancy on Admin Login", "source": {"advisory": "GHSA-wmwf-49vv-p3mr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "sulu", "product": "sulu", "versions": [{"status": "affected", "version": ">= 2.5.0, < 2.5.10"}]}], "references": [{"url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr", "name": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b", "name": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sulu/sulu/releases/tag/2.5.10", "name": "https://github.com/sulu/sulu/releases/tag/2.5.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10. \n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204: Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-04T00:06:29.997Z"}}}, "cveMetadata": {"cveId": "CVE-2023-39343", "state": "PUBLISHED", "dateUpdated": "2024-10-03T18:21:46.144Z", "dateReserved": "2023-07-28T13:26:46.476Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-08-04T00:06:29.997Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "matchCriteriaId": "A840F85F-B8DC-41C1-81BE-691995D30ADF", "versionEndExcluding": "2.5.10", "versionStartIncluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10. \n\n"}], "id": "CVE-2023-39343", "lastModified": "2024-11-21T08:15:11.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-04T01:15:10.250", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/sulu/sulu/releases/tag/2.5.10"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/sulu/sulu/releases/tag/2.5.10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security-advisories@github.com", "type": "Secondary"}]}