Nexkey prior 12.121.9 Job Queue Dashboard improper authentication
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.3 | $0-$5k | 0.00 |
Summary
A vulnerability identified as critical has been detected in Nexkey. This impacts an unknown function of the component Job Queue Dashboard. This manipulation causes improper authentication. This vulnerability is tracked as CVE-2023-43805. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.
Details
A vulnerability classified as critical was found in Nexkey. Affected by this vulnerability is some unknown functionality of the component Job Queue Dashboard. The manipulation with an unknown input leads to a improper authentication vulnerability. The CWE definition for the vulnerability is CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. As an impact it is known to affect confidentiality. The summary by CVE is:
Nexkey is a fork of Misskey, an open source, decentralized social media platform. Prior to version 12.121.9, incomplete URL validation can allow users to bypass authentication for access to the job queue dashboard. Version 12.121.9 contains a fix for this issue. As a workaround, it may be possible to avoid this by blocking access using tools such as Cloudflare's WAF.
The weakness was disclosed 10/05/2023 as GHSA-9fj2-gjcf-cqqc. It is possible to read the advisory at github.com. This vulnerability is known as CVE-2023-43805 since 09/22/2023. The technical details are unknown and an exploit is not publicly available.
Upgrading to version 12.121.9 eliminates this vulnerability. Applying the patch d89575c521fd4492f5e2ba5a221c5e8f1382081d is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
Be aware that VulDB is the high quality source for vulnerability data.
Product
Name
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.4VulDB Meta Temp Score: 6.3
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 7.5
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Improper authenticationCWE: CWE-287
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Nexkey 12.121.9
Patch: d89575c521fd4492f5e2ba5a221c5e8f1382081d
Timeline
09/22/2023 🔍10/05/2023 🔍
10/05/2023 🔍
10/05/2023 🔍
Sources
Advisory: GHSA-9fj2-gjcf-cqqcStatus: Confirmed
CVE: CVE-2023-43805 (🔍)
GCVE (CVE): GCVE-0-2023-43805
GCVE (VulDB): GCVE-100-241327
Entry
Created: 10/05/2023 07:54Changes: 10/05/2023 07:54 (51)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.