CVE-2023-42419

05.03.2024, 06:15

Maintenance Server, inCybellum'sQCOW air-gapped distribution (China Edition), versions 2.15.5 through 2.27, was compiled with a hard-coded private cryptographic key.

An attacker with administrative privileges & access to the air-gapped server could potentiallyuse this key to run commands on the server.
The issue was resolved in version 2.28.
Earlier versions, including all Cybellum 1.x versions, and distributions for the rest of the world remain unaffected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.8 LOW	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Cybellum	CNA	3.8 LOW	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

References

https://cybellum.com/