CVE-2023-49564 — HIGH (8.8)

Vulnerability Description

The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP API without providing any valid credentials. The root cause of this vulnerability lies in a weak verification mechanism within the authentication implementation present in the Nginx Podman container on the CBIS/NCS Manager host machine. The risk can be partially mitigated by restricting access to the management network using external firewall.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Related Weaknesses (CWE)

CWE-288

References

https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/CV

FAQ

What is CVE-2023-49564?

CVE-2023-49564 is a vulnerability with a CVSS score of 8.8 (HIGH). The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows ...

How severe is CVE-2023-49564?

CVE-2023-49564 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-49564?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.