CVE-2023-6916

Summary

Audit records for OpenAPI requests may include sensitive information.

This could lead to unauthorized accesses and privilege escalation.

Affected Software

VendorProductVersion RangeStatus
Nozomi NetworksGuardian0 < 23.4.1affected
Nozomi NetworksCMC0 < 23.4.1affected

Weaknesses

  • CWE-201: CWE-201 Insertion of Sensitive Information Into Sent Data

Workarounds

Nozomi Networks recommends creating specific users for OpenAPI usage, with only the necessary permissions to access the required data sources. Additionally, it is advised to limit API keys to allowed IP addresses whenever possible. Finally, it is also suggested to regenerate existing API keys periodically and to review sign-ins via API keys in the audit records.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References