CVE-2023-37268

Published: Jul 14, 2023

Modified: Oct 18, 2024

PUBLISHED

CVSS v3.1

6.4

MEDIUM

Description

Warpgate is an SSH, HTTPS and MySQL bastion host for Linux that doesn't need special client apps. When logging in as a user with SSO enabled an attacker may authenticate as an other user. Any user account which does not have a second factor enabled could be compromised. This issue has been addressed in commit `8173f6512a` and in releases starting with version 0.7.3. Users are advised to upgrade. Users unable to upgrade should require their users to use a second factor in authentication.

Vendor	Product	Versions
warp-tech	warpgate	affected `< 0.7.3`

Weaknesses (CWE)

CWE-287

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/warp-tech/warpgate/security/advisories/GHSA-868r-97g5-r9g4

x_refsource_CONFIRM

https://github.com/warp-tech/warpgate/commit/8173f6512ab6183fa5edc5c9a5f3760b8979271e

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-37268

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References