PT-2023-18794 · Tigergraph · Tigergraph Enterprise Free Edition
Published
2023-04-13
·
Updated
2023-04-24
·
CVE-2023-22951
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
TigerGraph Enterprise Free Edition versions 3.x
Description
An issue was discovered where an authentication token for internal system use is created and can be read from the configuration file. Using this token on the REST API provides an attacker with anonymous admin-level privileges on all REST API endpoints.
Recommendations
For TigerGraph Enterprise Free Edition version 3.x, consider restricting access to the configuration file to prevent the authentication token from being read. As a temporary workaround, restrict access to all REST API endpoints until a patch is available.
Exploit
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tigergraph Enterprise Free Edition