CVE-2023-42419

EUVD-2023-46871

05.03.2024, 06:15

Maintenance Server, in Cybellum's QCOW air-gapped distribution (China Edition), versions 2.15.5 through 2.27, was compiled with a hard-coded private cryptographic key.

An attacker with administrative privileges & access to the air-gapped server could potentially use this key to run commands on the server.
The issue was resolved in version 2.28.
Earlier versions, including all Cybellum 1.x versions, and distributions for the rest of the world remain unaffected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.8 LOW	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Cybellum	CNA	3.8 LOW	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

References

https://cybellum.com/