Search criteria
4 vulnerabilities found for com.palantir.acme.gaia:gaia by Palantir
CVE-2023-30971 (GCVE-0-2023-30971)
Vulnerability from nvd – Published: 2025-12-19 16:34 – Updated: 2025-12-19 18:00
VLAI?
Title
Gaia unauthenticated endpoints
Summary
Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.
Severity ?
6.8 (Medium)
CWE
- CWE-592 - This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palantir | com.palantir.acme.gaia:gaia |
Unaffected:
100.231009.45 , < *
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30971",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:24:29.023190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T18:00:30.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "com.palantir.acme.gaia:gaia",
"vendor": "Palantir",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231009.45",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gotham Gaia application was found to be exposing multiple unauthenticated endpoints."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-592",
"description": "This weakness has been deprecated because it covered redundant concepts already described in CWE-287.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:34:19.437Z",
"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"shortName": "Palantir"
},
"references": [
{
"url": "https://palantir.safebase.us/?tcuUid=4d833960-b5a8-4750-abef-9c447fcd89fb"
}
],
"source": {
"defect": [
"PLTRSEC-2024-37"
],
"discovery": "INTERNAL"
},
"title": "Gaia unauthenticated endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"assignerShortName": "Palantir",
"cveId": "CVE-2023-30971",
"datePublished": "2025-12-19T16:34:19.437Z",
"dateReserved": "2023-04-21T11:42:33.501Z",
"dateUpdated": "2025-12-19T18:00:30.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30968 (GCVE-0-2023-30968)
Vulnerability from nvd – Published: 2024-03-12 19:39 – Updated: 2024-08-21 15:33
VLAI?
Title
Stored XSS in gaia
Summary
One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.
Severity ?
6.8 (Medium)
CWE
- CWE-434 - The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palantir | com.palantir.acme.gaia:gaia |
Unaffected:
100.240108.11 , < *
(semver)
Unaffected: 100.240203.6 , < * (semver) Unaffected: 100.230807.13 , < * (semver) Unaffected: 100.240205.0-12-gf415217 , < * (semver) Unaffected: 100.231108.82 , < * (semver) Unaffected: 100.231009.47 , < * (semver) Unaffected: 100.240202.9 , < * (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:24.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://palantir.safebase.us/?tcuUid=01589957-ed41-4c74-90a0-3f09f7aee1cb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:33:22.486616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T15:33:34.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "com.palantir.acme.gaia:gaia",
"vendor": "Palantir",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240108.11",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240203.6",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.230807.13",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240205.0-12-gf415217",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231108.82",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231009.47",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240202.9",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product\u0027s environment.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T19:39:24.226Z",
"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"shortName": "Palantir"
},
"references": [
{
"url": "https://palantir.safebase.us/?tcuUid=01589957-ed41-4c74-90a0-3f09f7aee1cb"
}
],
"source": {
"defect": [
"PLTRSEC-2024-36"
],
"discovery": "INTERNAL"
},
"title": "Stored XSS in gaia"
}
},
"cveMetadata": {
"assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"assignerShortName": "Palantir",
"cveId": "CVE-2023-30968",
"datePublished": "2024-03-12T19:39:24.226Z",
"dateReserved": "2023-04-21T11:42:33.501Z",
"dateUpdated": "2024-08-21T15:33:34.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30971 (GCVE-0-2023-30971)
Vulnerability from cvelistv5 – Published: 2025-12-19 16:34 – Updated: 2025-12-19 18:00
VLAI?
Title
Gaia unauthenticated endpoints
Summary
Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.
Severity ?
6.8 (Medium)
CWE
- CWE-592 - This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palantir | com.palantir.acme.gaia:gaia |
Unaffected:
100.231009.45 , < *
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30971",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:24:29.023190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T18:00:30.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "com.palantir.acme.gaia:gaia",
"vendor": "Palantir",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231009.45",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gotham Gaia application was found to be exposing multiple unauthenticated endpoints."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-592",
"description": "This weakness has been deprecated because it covered redundant concepts already described in CWE-287.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:34:19.437Z",
"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"shortName": "Palantir"
},
"references": [
{
"url": "https://palantir.safebase.us/?tcuUid=4d833960-b5a8-4750-abef-9c447fcd89fb"
}
],
"source": {
"defect": [
"PLTRSEC-2024-37"
],
"discovery": "INTERNAL"
},
"title": "Gaia unauthenticated endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"assignerShortName": "Palantir",
"cveId": "CVE-2023-30971",
"datePublished": "2025-12-19T16:34:19.437Z",
"dateReserved": "2023-04-21T11:42:33.501Z",
"dateUpdated": "2025-12-19T18:00:30.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30968 (GCVE-0-2023-30968)
Vulnerability from cvelistv5 – Published: 2024-03-12 19:39 – Updated: 2024-08-21 15:33
VLAI?
Title
Stored XSS in gaia
Summary
One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.
Severity ?
6.8 (Medium)
CWE
- CWE-434 - The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palantir | com.palantir.acme.gaia:gaia |
Unaffected:
100.240108.11 , < *
(semver)
Unaffected: 100.240203.6 , < * (semver) Unaffected: 100.230807.13 , < * (semver) Unaffected: 100.240205.0-12-gf415217 , < * (semver) Unaffected: 100.231108.82 , < * (semver) Unaffected: 100.231009.47 , < * (semver) Unaffected: 100.240202.9 , < * (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:24.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://palantir.safebase.us/?tcuUid=01589957-ed41-4c74-90a0-3f09f7aee1cb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:33:22.486616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T15:33:34.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "com.palantir.acme.gaia:gaia",
"vendor": "Palantir",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240108.11",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240203.6",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.230807.13",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240205.0-12-gf415217",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231108.82",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.231009.47",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "100.240202.9",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product\u0027s environment.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T19:39:24.226Z",
"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"shortName": "Palantir"
},
"references": [
{
"url": "https://palantir.safebase.us/?tcuUid=01589957-ed41-4c74-90a0-3f09f7aee1cb"
}
],
"source": {
"defect": [
"PLTRSEC-2024-36"
],
"discovery": "INTERNAL"
},
"title": "Stored XSS in gaia"
}
},
"cveMetadata": {
"assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4",
"assignerShortName": "Palantir",
"cveId": "CVE-2023-30968",
"datePublished": "2024-03-12T19:39:24.226Z",
"dateReserved": "2023-04-21T11:42:33.501Z",
"dateUpdated": "2024-08-21T15:33:34.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}