PT-2023-21922 · General Bytes · General Bytes Crypto Application Server
Published
2023-03-21
·
Updated
2023-03-27
·
CVE-2023-28725
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
General Bytes Crypto Application Server (CAS) versions prior to 20221118.48
General Bytes Crypto Application Server (CAS) versions prior to 20230120.44
Description
The issue allows remote attackers to execute arbitrary Java code by uploading a Java application to the "/batm/app/admin/standalone/deployments" directory. This has been exploited in the wild in March 2023.
Recommendations
For versions prior to 20221118.48, update to version 20221118.48 or later.
For versions prior to 20230120.44, update to version 20230120.44 or later.
As a temporary workaround, consider restricting access to the "/batm/app/admin/standalone/deployments" directory until a patch is applied.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
General Bytes Crypto Application Server