CVE-2023-42261

Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/abb47659a19ac772765934f184c65fe16cb3bee7/docker-compose.yml#L30-L31	Patch
https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1211	Issue Tracking Vendor Advisory
https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/748	Issue Tracking Vendor Advisory
https://github.com/woshinibaba222/hack16/blob/main/Unauthorized%20Access%20to%20MobSF.md	Exploit
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/abb47659a19ac772765934f184c65fe16cb3bee7/docker-compose.yml#L30-L31	Patch
https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1211	Issue Tracking Vendor Advisory
https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/748	Issue Tracking Vendor Advisory
https://github.com/woshinibaba222/hack16/blob/main/Unauthorized%20Access%20to%20MobSF.md	Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:opensecurity:mobile_security_framework::::::::
	cpe:2.3:a:opensecurity:mobile_security_framework:3.7.8:beta::::::

History

No history.

Information

Published : 2023-09-21 22:15

Updated : 2024-11-21 08:22

NVD link : CVE-2023-42261

Mitre link : CVE-2023-42261

CVE.ORG link : CVE-2023-42261

JSON object : View

Products Affected

opensecurity

mobile_security_framework

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2023-42261", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-09-21T22:15:11.823", "references": [{"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/abb47659a19ac772765934f184c65fe16cb3bee7/docker-compose.yml#L30-L31", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1211", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/748", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/woshinibaba222/hack16/blob/main/Unauthorized%20Access%20to%20MobSF.md", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/abb47659a19ac772765934f184c65fe16cb3bee7/docker-compose.yml#L30-L31", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1211", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/748", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/woshinibaba222/hack16/blob/main/Unauthorized%20Access%20to%20MobSF.md", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server."}, {"lang": "es", "value": "** EN DISPUTA ** Mobile Security Framework (MobSF) <=v3.7.8 Beta es vulnerable a permisos inseguros. NOTA: la posici\u00f3n del proveedor es que la autenticaci\u00f3n no se implementa intencionalmente porque el producto no est\u00e1 dise\u00f1ado para un entorno de red que no sea de confianza. Los casos de uso que requieran autenticaci\u00f3n podr\u00edan, por ejemplo, utilizar un servidor proxy inverso."}], "lastModified": "2024-11-21T08:22:23.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33891183-C56B-4054-8CC8-5AE4BF10C711", "versionEndIncluding": "3.7.6"}, {"criteria": "cpe:2.3:a:opensecurity:mobile_security_framework:3.7.8:beta:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B56DF4FF-DDE6-493B-AD2D-90F6BB147E3B"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}