CVE-2023-30948 MEDIUM

CVE-2023-30948: Retrieval of Attachments to Comments lacks Authorization

Vendor Palantir

Product com.palantir.comments:comments

Weakness CWE-285

Published June 6, 2023

Last update January 7, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content. This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.

Key dates

02Disclosure timeline

June 6, 2023 CVE published

January 7, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-30948 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

04Related CVE

CVE-2021-35964 Learningdigital.com, Inc. Orca HCM - Broken Authentication CVE-2025-9602 Xinhu RockOA index.php publicsaveAjax improper authorization CVE-2025-49701 Microsoft SharePoint Remote Code Execution Vulnerability CVE-2023-5808 System Management Unit (SMU) versions prior to 14.8.7825.01, used to manage Hitachi Vantara NAS products are susceptible to unintended information disclosure via unprivileged access to HNAS configuration backup and diagnostic data. CVE-2025-14089 Himool ERP AdminActionViewSet update_account improper authorization