CVE-2023-28141 (GCVE-0-2023-28141)
Vulnerability from cvelistv5 – Published: 2023-04-18 15:50 – Updated: 2025-03-03 19:22
VLAI?
Summary
An NTFS Junction condition exists in the Qualys Cloud Agent
for Windows platform in versions before 4.8.0.31. Attackers may write files to
arbitrary locations via a local attack vector. This allows attackers to assume
the privileges of the process, and they may delete or otherwise on unauthorized
files, allowing for the potential modification or deletion of sensitive files
limited only to that specific directory/file object. This vulnerability is
bounded to the time of installation/uninstallation and can only be exploited locally.
At the time of this disclosure, versions before 4.0 are
classified as End of Life.
Severity ?
6.7 (Medium)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Qualys | Cloud Agent |
Affected:
3.1.3.34 , < 4.8.0.31
(custom)
|
Credits
Lockheed Martin Red Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:30:24.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.qualys.com/security-advisories/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T20:05:41.211914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T19:22:56.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Cloud Agent",
"vendor": "Qualys",
"versions": [
{
"lessThan": "4.8.0.31",
"status": "affected",
"version": "3.1.3.34",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin Red Team"
}
],
"datePublic": "2023-04-18T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eAn NTFS Junction condition exists in the Qualys Cloud Agent\nfor Windows platform in versions before 4.8.0.31. Attackers may write files to\narbitrary locations via a local attack vector. This allows attackers to assume\nthe privileges of the process, and they may delete or otherwise on unauthorized\nfiles, allowing for the potential modification or deletion of sensitive files\nlimited only to that specific directory/file object. This vulnerability is\nbounded to the time of installation/uninstallation and can only be exploited locally.\u003c/p\u003e\n\n\u003cp\u003eAt the time of this disclosure, versions before 4.0 are\nclassified as End of Life.\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003c/p\u003e\n\n\n\n\n\n"
}
],
"value": "\nAn NTFS Junction condition exists in the Qualys Cloud Agent\nfor Windows platform in versions before 4.8.0.31. Attackers may write files to\narbitrary locations via a local attack vector. This allows attackers to assume\nthe privileges of the process, and they may delete or otherwise on unauthorized\nfiles, allowing for the potential modification or deletion of sensitive files\nlimited only to that specific directory/file object. This vulnerability is\nbounded to the time of installation/uninstallation and can only be exploited locally.\n\n\n\nAt the time of this disclosure, versions before 4.0 are\nclassified as End of Life.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Proof of Concept"
}
],
"value": "Proof of Concept"
}
],
"impacts": [
{
"capecId": "CAPEC-132",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-132 Symlink Attack"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-19T17:51:24.456Z",
"orgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
"shortName": "Qualys"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.qualys.com/security-advisories/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nUpgrade to 4.8.0.31 of Qualys Cloud Agent for Windows.\n\n\u003cbr\u003e"
}
],
"value": "\nUpgrade to 4.8.0.31 of Qualys Cloud Agent for Windows.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NTFS Junction",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
"assignerShortName": "Qualys",
"cveId": "CVE-2023-28141",
"datePublished": "2023-04-18T15:50:19.411Z",
"dateReserved": "2023-03-10T21:23:28.797Z",
"dateUpdated": "2025-03-03T19:22:56.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:qualys:cloud_agent:*:*:*:*:*:windows:*:*\", \"versionStartIncluding\": \"3.1.3.34\", \"versionEndExcluding\": \"4.8.0.31\", \"matchCriteriaId\": \"EA975AAE-08D4-4B1F-BA55-C9F55B32A93F\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"\\nAn NTFS Junction condition exists in the Qualys Cloud Agent\\nfor Windows platform in versions before 4.8.0.31. Attackers may write files to\\narbitrary locations via a local attack vector. This allows attackers to assume\\nthe privileges of the process, and they may delete or otherwise on unauthorized\\nfiles, allowing for the potential modification or deletion of sensitive files\\nlimited only to that specific directory/file object. This vulnerability is\\nbounded to the time of installation/uninstallation and can only be exploited locally.\\n\\n\\n\\nAt the time of this disclosure, versions before 4.0 are\\nclassified as End of Life.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\"}]",
"id": "CVE-2023-28141",
"lastModified": "2024-11-21T07:54:28.663",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"bugreport@qualys.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.2}]}",
"published": "2023-04-18T16:15:09.087",
"references": "[{\"url\": \"https://www.qualys.com/security-advisories/\", \"source\": \"bugreport@qualys.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.qualys.com/security-advisories/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "bugreport@qualys.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"bugreport@qualys.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-59\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-28141\",\"sourceIdentifier\":\"bugreport@qualys.com\",\"published\":\"2023-04-18T16:15:09.087\",\"lastModified\":\"2024-11-21T07:54:28.663\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nAn NTFS Junction condition exists in the Qualys Cloud Agent\\nfor Windows platform in versions before 4.8.0.31. Attackers may write files to\\narbitrary locations via a local attack vector. This allows attackers to assume\\nthe privileges of the process, and they may delete or otherwise on unauthorized\\nfiles, allowing for the potential modification or deletion of sensitive files\\nlimited only to that specific directory/file object. This vulnerability is\\nbounded to the time of installation/uninstallation and can only be exploited locally.\\n\\n\\n\\nAt the time of this disclosure, versions before 4.0 are\\nclassified as End of Life.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"bugreport@qualys.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"bugreport@qualys.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:qualys:cloud_agent:*:*:*:*:*:windows:*:*\",\"versionStartIncluding\":\"3.1.3.34\",\"versionEndExcluding\":\"4.8.0.31\",\"matchCriteriaId\":\"EA975AAE-08D4-4B1F-BA55-C9F55B32A93F\"}]}]}],\"references\":[{\"url\":\"https://www.qualys.com/security-advisories/\",\"source\":\"bugreport@qualys.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.qualys.com/security-advisories/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"platforms\": [\"Windows\"], \"product\": \"Cloud Agent\", \"vendor\": \"Qualys\", \"versions\": [{\"lessThan\": \"4.8.0.31\", \"status\": \"affected\", \"version\": \"3.1.3.34\", \"versionType\": \"custom\"}]}], \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Lockheed Martin Red Team\"}], \"datePublic\": \"2023-04-18T16:00:00.000Z\", \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003c/p\u003e\u003cp\u003eAn NTFS Junction condition exists in the Qualys Cloud Agent\\nfor Windows platform in versions before 4.8.0.31. Attackers may write files to\\narbitrary locations via a local attack vector. This allows attackers to assume\\nthe privileges of the process, and they may delete or otherwise on unauthorized\\nfiles, allowing for the potential modification or deletion of sensitive files\\nlimited only to that specific directory/file object. This vulnerability is\\nbounded to the time of installation/uninstallation and can only be exploited locally.\u003c/p\u003e\\n\\n\u003cp\u003eAt the time of this disclosure, versions before 4.0 are\\nclassified as End of Life.\u003c/p\u003e\\n\\n\\n\\n\\n\\n\u003cp\u003e\u003c/p\u003e\\n\\n\\n\\n\\n\\n\"}], \"value\": \"\\nAn NTFS Junction condition exists in the Qualys Cloud Agent\\nfor Windows platform in versions before 4.8.0.31. Attackers may write files to\\narbitrary locations via a local attack vector. This allows attackers to assume\\nthe privileges of the process, and they may delete or otherwise on unauthorized\\nfiles, allowing for the potential modification or deletion of sensitive files\\nlimited only to that specific directory/file object. This vulnerability is\\nbounded to the time of installation/uninstallation and can only be exploited locally.\\n\\n\\n\\nAt the time of this disclosure, versions before 4.0 are\\nclassified as End of Life.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\"}], \"exploits\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"Proof of Concept\"}], \"value\": \"Proof of Concept\"}], \"impacts\": [{\"capecId\": \"CAPEC-132\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-132 Symlink Attack\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-59\", \"description\": \"CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda\", \"shortName\": \"Qualys\", \"dateUpdated\": \"2023-04-19T17:51:24.456Z\"}, \"references\": [{\"tags\": [\"vendor-advisory\"], \"url\": \"https://www.qualys.com/security-advisories/\"}], \"solutions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\\n\\nUpgrade to 4.8.0.31 of Qualys Cloud Agent for Windows.\\n\\n\u003cbr\u003e\"}], \"value\": \"\\nUpgrade to 4.8.0.31 of Qualys Cloud Agent for Windows.\\n\\n\\n\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"title\": \"NTFS Junction\", \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T12:30:24.099Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"vendor-advisory\", \"x_transferred\"], \"url\": \"https://www.qualys.com/security-advisories/\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-28141\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-10T20:05:41.211914Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-03T19:22:51.255Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2023-28141\", \"assignerOrgId\": \"8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Qualys\", \"dateReserved\": \"2023-03-10T21:23:28.797Z\", \"datePublished\": \"2023-04-18T15:50:19.411Z\", \"dateUpdated\": \"2025-03-03T19:22:56.830Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…