CVE-2023-6916
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Audit records for OpenAPI requests may include sensitive information.
This could lead to unauthorized accesses and privilege escalation.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Nozomi Networks | Guardian | 0 < 23.4.1 | affected |
| Nozomi Networks | CMC | 0 < 23.4.1 | affected |
Weaknesses
- CWE-201: CWE-201 Insertion of Sensitive Information Into Sent Data
Workarounds
Nozomi Networks recommends creating specific users for OpenAPI usage, with only the necessary permissions to access the required data sources. Additionally, it is advised to limit API keys to allowed IP addresses whenever possible. Finally, it is also suggested to regenerate existing API keys periodically and to review sign-ins via API keys in the audit records.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.