Search
Find a vulnerability
Search criteria
4 vulnerabilities found for com.palantir.acme.gaia:gaia by Palantir
CVE-2023-30971 (GCVE-0-2023-30971)
Vulnerability from nvd – Published: 2025-12-19 16:34 – Updated: 2025-12-19 18:00
VLAI
Title
Gaia unauthenticated endpoints
Summary
Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-592 - This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Palantir | com.palantir.acme.gaia:gaia |
Unaffected:
100.231009.45 , < *
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30971",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:24:29.023190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T18:00:30.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "com.palantir.acme.gaia:gaia",
"vendor": "Palantir",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231009.45",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gotham Gaia application was found to be exposing multiple unauthenticated endpoints."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-592",
"description": "This weakness has been deprecated because it covered redundant concepts already described in CWE-287.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:34:19.437Z",
"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"shortName": "Palantir"
},
"references": [
{
"url": "https://palantir.safebase.us/?tcuUid=4d833960-b5a8-4750-abef-9c447fcd89fb"
}
],
"source": {
"defect": [
"PLTRSEC-2024-37"
],
"discovery": "INTERNAL"
},
"title": "Gaia unauthenticated endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"assignerShortName": "Palantir",
"cveId": "CVE-2023-30971",
"datePublished": "2025-12-19T16:34:19.437Z",
"dateReserved": "2023-04-21T11:42:33.501Z",
"dateUpdated": "2025-12-19T18:00:30.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30968 (GCVE-0-2023-30968)
Vulnerability from nvd – Published: 2024-03-12 19:39 – Updated: 2024-08-21 15:33
VLAI
Title
Stored XSS in gaia
Summary
One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Palantir | com.palantir.acme.gaia:gaia |
Unaffected:
100.240108.11 , < *
(semver)
Unaffected: 100.240203.6 , < * (semver) Unaffected: 100.230807.13 , < * (semver) Unaffected: 100.240205.0-12-gf415217 , < * (semver) Unaffected: 100.231108.82 , < * (semver) Unaffected: 100.231009.47 , < * (semver) Unaffected: 100.240202.9 , < * (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:24.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://palantir.safebase.us/?tcuUid=01589957-ed41-4c74-90a0-3f09f7aee1cb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:33:22.486616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T15:33:34.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "com.palantir.acme.gaia:gaia",
"vendor": "Palantir",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240108.11",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240203.6",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.230807.13",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240205.0-12-gf415217",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231108.82",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231009.47",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240202.9",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product\u0027s environment.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T19:39:24.226Z",
"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"shortName": "Palantir"
},
"references": [
{
"url": "https://palantir.safebase.us/?tcuUid=01589957-ed41-4c74-90a0-3f09f7aee1cb"
}
],
"source": {
"defect": [
"PLTRSEC-2024-36"
],
"discovery": "INTERNAL"
},
"title": "Stored XSS in gaia"
}
},
"cveMetadata": {
"assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"assignerShortName": "Palantir",
"cveId": "CVE-2023-30968",
"datePublished": "2024-03-12T19:39:24.226Z",
"dateReserved": "2023-04-21T11:42:33.501Z",
"dateUpdated": "2024-08-21T15:33:34.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30971 (GCVE-0-2023-30971)
Vulnerability from cvelistv5 – Published: 2025-12-19 16:34 – Updated: 2025-12-19 18:00
VLAI
Title
Gaia unauthenticated endpoints
Summary
Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-592 - This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Palantir | com.palantir.acme.gaia:gaia |
Unaffected:
100.231009.45 , < *
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30971",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:24:29.023190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T18:00:30.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "com.palantir.acme.gaia:gaia",
"vendor": "Palantir",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231009.45",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gotham Gaia application was found to be exposing multiple unauthenticated endpoints."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-592",
"description": "This weakness has been deprecated because it covered redundant concepts already described in CWE-287.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:34:19.437Z",
"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"shortName": "Palantir"
},
"references": [
{
"url": "https://palantir.safebase.us/?tcuUid=4d833960-b5a8-4750-abef-9c447fcd89fb"
}
],
"source": {
"defect": [
"PLTRSEC-2024-37"
],
"discovery": "INTERNAL"
},
"title": "Gaia unauthenticated endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"assignerShortName": "Palantir",
"cveId": "CVE-2023-30971",
"datePublished": "2025-12-19T16:34:19.437Z",
"dateReserved": "2023-04-21T11:42:33.501Z",
"dateUpdated": "2025-12-19T18:00:30.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30968 (GCVE-0-2023-30968)
Vulnerability from cvelistv5 – Published: 2024-03-12 19:39 – Updated: 2024-08-21 15:33
VLAI
Title
Stored XSS in gaia
Summary
One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Palantir | com.palantir.acme.gaia:gaia |
Unaffected:
100.240108.11 , < *
(semver)
Unaffected: 100.240203.6 , < * (semver) Unaffected: 100.230807.13 , < * (semver) Unaffected: 100.240205.0-12-gf415217 , < * (semver) Unaffected: 100.231108.82 , < * (semver) Unaffected: 100.231009.47 , < * (semver) Unaffected: 100.240202.9 , < * (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:24.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://palantir.safebase.us/?tcuUid=01589957-ed41-4c74-90a0-3f09f7aee1cb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:33:22.486616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T15:33:34.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "com.palantir.acme.gaia:gaia",
"vendor": "Palantir",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240108.11",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240203.6",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.230807.13",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240205.0-12-gf415217",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231108.82",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231009.47",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240202.9",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product\u0027s environment.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T19:39:24.226Z",
"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"shortName": "Palantir"
},
"references": [
{
"url": "https://palantir.safebase.us/?tcuUid=01589957-ed41-4c74-90a0-3f09f7aee1cb"
}
],
"source": {
"defect": [
"PLTRSEC-2024-36"
],
"discovery": "INTERNAL"
},
"title": "Stored XSS in gaia"
}
},
"cveMetadata": {
"assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"assignerShortName": "Palantir",
"cveId": "CVE-2023-30968",
"datePublished": "2024-03-12T19:39:24.226Z",
"dateReserved": "2023-04-21T11:42:33.501Z",
"dateUpdated": "2024-08-21T15:33:34.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}