Vulnerability-Lookup

CNVD-2023-84326

Vulnerability from cnvd - Published: 2023-11-09

Title

HCL Technologies Compass访问控制错误漏洞

Description

HCL Technologies Compass是美国HCL Technologies公司的一个低代码变更管理软件。管理全方位的测试活动以及与开发人员工具的集成。 HCL Technologies Compass存在访问控制错误漏洞，该漏洞源于当调用注销功能时，应用程序不会使经过身份验证的会话失效，攻击者可利用此漏洞可以将其重播到应用程序并用于模拟用户。

Severity

高

Patch Name

HCL Technologies Compass访问控制错误漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107511

Reference

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107511

Impacted products

Name
['HCL Technologies HCL Compass >=2.0.0,<=2.0.3', 'HCL Technologies HCL Compass 2.1.0', 'HCL Technologies HCL Compass >=2.2.0，<=2.2.3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-37504",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-37504"
    }
  },
  "description": "HCL Technologies Compass\u662f\u7f8e\u56fdHCL Technologies\u516c\u53f8\u7684\u4e00\u4e2a\u4f4e\u4ee3\u7801\u53d8\u66f4\u7ba1\u7406\u8f6f\u4ef6\u3002\u7ba1\u7406\u5168\u65b9\u4f4d\u7684\u6d4b\u8bd5\u6d3b\u52a8\u4ee5\u53ca\u4e0e\u5f00\u53d1\u4eba\u5458\u5de5\u5177\u7684\u96c6\u6210\u3002\n\nHCL Technologies Compass\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u8c03\u7528\u6ce8\u9500\u529f\u80fd\u65f6\uff0c\u5e94\u7528\u7a0b\u5e8f\u4e0d\u4f1a\u4f7f\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u4f1a\u8bdd\u5931\u6548\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u53ef\u4ee5\u5c06\u5176\u91cd\u64ad\u5230\u5e94\u7528\u7a0b\u5e8f\u5e76\u7528\u4e8e\u6a21\u62df\u7528\u6237\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107511",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-84326",
  "openTime": "2023-11-09",
  "patchDescription": "HCL Technologies Compass\u662f\u7f8e\u56fdHCL Technologies\u516c\u53f8\u7684\u4e00\u4e2a\u4f4e\u4ee3\u7801\u53d8\u66f4\u7ba1\u7406\u8f6f\u4ef6\u3002\u7ba1\u7406\u5168\u65b9\u4f4d\u7684\u6d4b\u8bd5\u6d3b\u52a8\u4ee5\u53ca\u4e0e\u5f00\u53d1\u4eba\u5458\u5de5\u5177\u7684\u96c6\u6210\u3002\r\n\r\nHCL Technologies Compass\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u8c03\u7528\u6ce8\u9500\u529f\u80fd\u65f6\uff0c\u5e94\u7528\u7a0b\u5e8f\u4e0d\u4f1a\u4f7f\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u4f1a\u8bdd\u5931\u6548\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u53ef\u4ee5\u5c06\u5176\u91cd\u64ad\u5230\u5e94\u7528\u7a0b\u5e8f\u5e76\u7528\u4e8e\u6a21\u62df\u7528\u6237\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "HCL Technologies Compass\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "HCL Technologies HCL Compass \u003e=2.0.0,\u003c=2.0.3",
      "HCL Technologies HCL Compass 2.1.0",
      "HCL Technologies HCL Compass \u003e=2.2.0\uff0c\u003c=2.2.3"
    ]
  },
  "referenceLink": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107511",
  "serverity": "\u9ad8",
  "submitTime": "2023-10-23",
  "title": "HCL Technologies Compass\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2023-37504 (GCVE-0-2023-37504)

Vulnerability from cvelistv5 – Published: 2023-10-19 00:09 – Updated: 2024-09-12 18:04

Title

An insufficient session expiration vulnerability affects HCL Compass

Summary

HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Assigner

HCL

References

URL

Tags

https://support.hcltechsw.com/csm?id=kb_article&s…

Impacted products

	Vendor	Product	Version
	HCL Software	HCL Compass	Affected: 2.0, 2.1, 2.2

Date Public ?

2023-10-18 23:30

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:16:30.324Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107511"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:hcl_software:hcl_compass:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "hcl_compass",
            "vendor": "hcl_software",
            "versions": [
              {
                "status": "affected",
                "version": "2.0"
              },
              {
                "status": "affected",
                "version": "2.1"
              },
              {
                "status": "affected",
                "version": "2.2"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-37504",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-12T18:03:06.887414Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T18:04:17.190Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HCL Compass",
          "vendor": "HCL Software",
          "versions": [
            {
              "status": "affected",
              "version": "2.0, 2.1, 2.2"
            }
          ]
        }
      ],
      "datePublic": "2023-10-18T23:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. \u0026nbsp;If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. \u00a0If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-19T00:09:02.682Z",
        "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "shortName": "HCL"
      },
      "references": [
        {
          "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0107511"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "An insufficient session expiration vulnerability affects HCL Compass",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
    "assignerShortName": "HCL",
    "cveId": "CVE-2023-37504",
    "datePublished": "2023-10-19T00:09:02.682Z",
    "dateReserved": "2023-07-06T16:11:40.094Z",
    "dateUpdated": "2024-09-12T18:04:17.190Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-84326

CVE-2023-37504 (GCVE-0-2023-37504)

Tags

Sightings

Nomenclature