CVE-2023-31123 - Vulnerability Details - OpenCVE

`effectindex/tripreporter` is a community-powered, universal platform for submitting and analyzing trip reports. Prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b, any user with an account on an instance of `effectindex/tripreporter`, e.g. `subjective.report`, may be affected by an improper password verification vulnerability. The vulnerability allows any user with a password matching the password requirements to log in as any user. This allows access to accounts / data loss of the user. This issue is patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. No action necessary for users of `subjective.report`, and anyone running their own instance should update to this commit or newer as soon as possible. As a workaround, someone running their own instance may apply the patch manually.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Effectindex	Tripreporter

Configuration 1 [-]

cpe:2.3:a:effectindex:tripreporter:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b
https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6

History

Wed, 29 Jan 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-08T20:01:40.578Z

Updated: 2025-01-29T15:03:56.847Z

Reserved: 2023-04-24T21:44:10.414Z

Link: CVE-2023-31123

Vulnrichment

Updated: 2024-08-02T14:45:25.593Z

NVD

Status : Modified

Published: 2023-05-08T21:15:11.263

Modified: 2024-11-21T08:01:26.327

Link: CVE-2023-31123

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-31123", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-24T21:44:10.414Z", "datePublished": "2023-05-08T20:01:40.578Z", "dateUpdated": "2025-01-29T15:03:56.847Z"}, "containers": {"cna": {"title": "effectindex/tripreporter vulnerable to improper password verification on POST `/api/v1/account/login`", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6"}, {"name": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b", "tags": ["x_refsource_MISC"], "url": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b"}], "affected": [{"vendor": "effectindex", "product": "tripreporter", "versions": [{"version": "< bd80ba833b9023d39ca22e29874296c8729dd53b", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-08T20:01:40.578Z"}, "descriptions": [{"lang": "en", "value": "`effectindex/tripreporter` is a community-powered, universal platform for submitting and analyzing trip reports. Prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b, any user with an account on an instance of `effectindex/tripreporter`, e.g. `subjective.report`, may be affected by an improper password verification vulnerability. The vulnerability allows any user with a password matching the password requirements to log in as any user. This allows access to accounts / data loss of the user. This issue is patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. No action necessary for users of `subjective.report`, and anyone running their own instance should update to this commit or newer as soon as possible. As a workaround, someone running their own instance may apply the patch manually."}], "source": {"advisory": "GHSA-356r-rwp8-h6m6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.593Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6"}, {"name": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-29T15:03:51.287821Z", "id": "CVE-2023-31123", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T15:03:56.847Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6", "name": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b", "name": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.593Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-31123", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-29T15:03:51.287821Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T14:59:08.998Z"}}], "cna": {"title": "effectindex/tripreporter vulnerable to improper password verification on POST `/api/v1/account/login`", "source": {"advisory": "GHSA-356r-rwp8-h6m6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "effectindex", "product": "tripreporter", "versions": [{"status": "affected", "version": "< bd80ba833b9023d39ca22e29874296c8729dd53b"}]}], "references": [{"url": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6", "name": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b", "name": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "`effectindex/tripreporter` is a community-powered, universal platform for submitting and analyzing trip reports. Prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b, any user with an account on an instance of `effectindex/tripreporter`, e.g. `subjective.report`, may be affected by an improper password verification vulnerability. The vulnerability allows any user with a password matching the password requirements to log in as any user. This allows access to accounts / data loss of the user. This issue is patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. No action necessary for users of `subjective.report`, and anyone running their own instance should update to this commit or newer as soon as possible. As a workaround, someone running their own instance may apply the patch manually."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-08T20:01:40.578Z"}}}, "cveMetadata": {"cveId": "CVE-2023-31123", "state": "PUBLISHED", "dateUpdated": "2025-01-29T15:03:56.847Z", "dateReserved": "2023-04-24T21:44:10.414Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-05-08T20:01:40.578Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:effectindex:tripreporter:*:*:*:*:*:*:*:*", "matchCriteriaId": "94AAC4BC-0731-43E8-99D0-BDEA996D1BFE", "versionEndExcluding": "2023-04-30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "`effectindex/tripreporter` is a community-powered, universal platform for submitting and analyzing trip reports. Prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b, any user with an account on an instance of `effectindex/tripreporter`, e.g. `subjective.report`, may be affected by an improper password verification vulnerability. The vulnerability allows any user with a password matching the password requirements to log in as any user. This allows access to accounts / data loss of the user. This issue is patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. No action necessary for users of `subjective.report`, and anyone running their own instance should update to this commit or newer as soon as possible. As a workaround, someone running their own instance may apply the patch manually."}], "id": "CVE-2023-31123", "lastModified": "2024-11-21T08:01:26.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-08T21:15:11.263", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/effectindex/tripreporter/commit/bd80ba833b9023d39ca22e29874296c8729dd53b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/effectindex/tripreporter/security/advisories/GHSA-356r-rwp8-h6m6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}]}