CVE-2023-30970

Summary

Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system.

Affected Software

VendorProductVersion RangeStatus
Palantircom.palantir.gotham:blackbird-witchcraft* < 104.30231002.10affected
Palantircom.palantir.gotham:blackbird-witchcraft* < 104.30231001.8affected
Palantircom.palantir.gotham:blackbird-witchcraft* < 104.30230807.59affected
Palantircom.palantir.gotham:blackbird-witchcraft* < 104.30230908.21affected
Palantircom.palantir.gotham:blackbird-witchcraft* < 103.30230304.433affected
Palantircom.palantir.gotham:blackbird-witchcraft* < 104.30230604.81affected
Palantircom.palantir.gotham:blackbird-witchcraft* < 104.30231003.9affected

Weaknesses

  • CWE-36: The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References