Vulnerability Details CVE-2023-45152
Engelsystem is a shift planning system for chaos events. A Blind SSRF in the "Import schedule" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.9%
CVSS Severity
CVSS v3 Score 2.0
References
- https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295
- https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf
- https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295
- https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf
Products affected by CVE-2023-45152
-
cpe:2.3:a:engelsystem:engelsystem:2.0.0
-
cpe:2.3:a:engelsystem:engelsystem:3.0.0
-
cpe:2.3:a:engelsystem:engelsystem:3.1.0
-
cpe:2.3:a:engelsystem:engelsystem:3.2.0
-
cpe:2.3:a:engelsystem:engelsystem:3.3.0
-
cpe:2.3:a:engelsystem:engelsystem:3.4.0
-
cpe:2.3:a:engelsystem:engelsystem:3.4.1