CVE-2023-6307

Relative Path Traversal (CWE-23)

Published: Nov 27, 2023 / Updated: 11mo ago

010
CVSS 9.8EPSS 0.05%Critical
CVE info copied to clipboard

A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246133 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-6307. See article

Nov 26, 2023 at 3:47 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 26, 2023 at 3:48 PM
CVE Assignment

NVD published the first details for CVE-2023-6307

Nov 27, 2023 at 2:15 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 12.7%)

Nov 27, 2023 at 2:30 PM
Threat Intelligence Report

The critical vulnerability CVE-2023-6307 affects jeecgboot JimuReport up to version 1.6.1. It allows remote attackers to launch a relative path traversal attack through the manipulation of the imageUrl argument in the /download/image functionality. The vendor has not responded to the disclosure, and there are no known mitigations, detections, or patches available. The exploit has been disclosed to the public, posing a significant risk to affected systems. See article

Dec 4, 2023 at 7:34 PM
Static CVE Timeline Graph

Affected Systems

Jeecg/jimureport
+null more

Attack Patterns

CAPEC-139: Relative Path Traversal
+null more

News

US-CERT Vulnerability Summary for the Week of November 27, 2023
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source & Patch Info apache — dolphinscheduler Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can’t upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file “` management: endpoints: web: exposure: include: health,metrics,prometheus “` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.
Vulnerability Summary for the Week of November 27, 2023
Vulnerability Summary for the Week of November 27, 2023 dwilliams Dec 04, 2023 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info apache -- dolphinscheduler Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. The information exposed to unauthorized actors may include sensitive data such as database credentials. Users who can't upgrade to the fixed version can also set environment variable `MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus` to workaround this, or add the following section in the `application.yaml` file ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue affects Apache DolphinScheduler: from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.
CVE-2023-6307
High Severity Description A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246133 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Read more at https://www.tenable.com/cve/CVE-2023-6307
NA - CVE-2023-6307 - A vulnerability classified as critical was...
Cvss vector : Cvss Base Score N/A Attack Range N/A Cvss Impact Score N/A Attack Complexity N/A Cvss Expoit Score N/A Authentication N/A Calculate full CVSS 2.0 Vectors scores Cvss vector : N/A Overall CVSS Score NA Base Score NA Environmental Score NA impact SubScore NA Temporal Score NA Exploitabality Sub Score NA Calculate full CVSS 3.0 Vectors scores
JEECGBOOT JIMUREPORT CVE-2023-6307 CVE-2023-6307 A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246133 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. https://www. cve.org/CVERecord?id=CVE-2023- 6307 https:// vuldb.com/?id.246133 https:// vuldb.com/?ctiid.246133 https:// github.com/N0b1e6/exp/blob/mai n/README.md # jeecgboot # JimuReport # CVE_2023_6307 # bot
See 1 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI