CVE-2023-6070 MEDIUM

CVE-2023-6070

Vendor Trellix
Product Trellix Enterprise Security Manager (ESM)
Weakness CWE-918 · SSRF
Published November 29, 2023
Last update October 11, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A server-side request forgery vulnerability in ESM prior to version 11.6.8 allows a low privileged authenticated user to upload arbitrary content, potentially altering configuration. This is possible through the certificate validation functionality where the API accepts uploaded content and doesn't parse for invalid data

Key dates

02Disclosure timeline

November 29, 2023 CVE published
October 11, 2024 Record updated