CVE-2023-47174

Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027. Also, within the specific context of Thorn SFTP gateway, this leads to remote code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
thorntechsftp_gateway_firmware
3.4.0 ≤
𝑥
< 3.4.4
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
thorntechsftp_gateway
3.4x ≤
𝑥
< 3.4.4
ADP
Common Weakness Enumeration
References
https://help.thorntech.com/docs/sftp-gateway-gcp-3.0/gcp-java-deserialization-rce/
https://help.thorntech.com/docs/sftp-gateway-gcp-3.0/gcp-java-deserialization-rce/