CVE-2023-1663 MEDIUM

CVE-2023-1663: Authenticated Resources Accessible via Forced Browsing

Vendor Synopsys
Product Coverity
Weakness CWE-425 · Forced browsing
Published March 29, 2023
Last update February 12, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

01Description

Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. The root cause of this vulnerability is an insecurely configured servlet mapping for the underlying Apache Tomcat server. As a result, the downloads directory and its contents are accessible. 5.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C)

Key dates

02Disclosure timeline

March 29, 2023 CVE published
February 12, 2025 Record updated