Vulnerability DatabaseCVE-2023-49801
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-49801
January 12, 2024
Lif Auth Server is a server for validating logins, managing information, and account recovery for Lif Accounts. The issue relates to the `get_pfp` and `get_banner` routes on Auth Server. The issue is that there is no check to ensure that the file that Auth Server is receiving through these URLs is correct. This could allow an attacker access to files they shouldn't have access to. This issue has been patched in version 1.4.0.
Related ResourcesĀ (2)
https://github.com/Lif-Platforms/Lif-Auth-Server/security/advisories/GHSA-3v77-pvqq-qg3f
https://github.com/Lif-Platforms/Lif-Auth-Server/commit/c235bcc2ee65e4a0dfb10284cf2cbc750213efeb
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
Relative Path Traversal
CWE-23
EPSS
Base Score:
0.32