CVE-2023-42455

Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
wazuhwazuh-dashboard
4.4.0 ≤
𝑥
< 4.4.2
wazuhwazuh-kibana-app
4.4.0 ≤
𝑥
< 4.4.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
wazuhwazuh-kibana-app
4.4.0 ≤
𝑥
< 4.4.2
ADP
wazuhwazuh-dashboard
4.4.0 ≤
𝑥
< 4.4.2
ADP
Common Weakness Enumeration
References
https://github.com/wazuh/wazuh-dashboard-plugins/issues/5427
https://github.com/wazuh/wazuh-kibana-app/pull/5428
https://github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf
https://github.com/wazuh/wazuh-dashboard-plugins/issues/5427
https://github.com/wazuh/wazuh-kibana-app/pull/5428
https://github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf