CVE-2023-6239: Incorrect calculation of effective permissions
DESCRIPTION:
Rare issue, where the calculation of effective permissions could produce a faulty result if an object used a specific configuration of metadata-driven permissions.
AFFECTED PRODUCTS:
M-Files Server 23.9
M-Files Server 23.10
M-Files Server 23.11 versions prior to 23.11.13168.7
MORE INFORMATION:
Fixed in 23.11 Service Release 1 (version 23.11.13168.7). Updated to cloud servers during maintenance break on November 26th.
CVSS 3.1 Base Score: 5.4
CVSS 3.1 Temporal Score: N/A
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-281 Improper Preservation of Permissions
CAPEC: CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
Internal ID: 169036
Date issued: 2023-11-21
EXPLOITABILITY
Publicly disclosed: No
Exploited: Unknown
Propability of exploitation: low - responsibly reported
LINKS
https://www.cve.org/CVERecord?id=CVE-2023-6239
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6239/
HISTORY
2023-11-28 Published
Priority:
Critical*