PT-2023-24242 · Talend · Talend Data Catalog

Christian Weiler

Published

2023-05-26

Updated

2025-01-16

CVE-2023-33247

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Talend Data Catalog versions prior to 8.0-20230413

Description The issue concerns the remote harvesting server, which contains a "/upgrade" endpoint that allows an unauthenticated WAR file to be deployed on the server. A mitigation measure is to place the remote harvesting server behind a firewall that only allows access to the Talend Data Catalog server.

Recommendations For versions prior to 8.0-20230413, update to version 8.0-20230413 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/upgrade" endpoint until a patch is available. Place the remote harvesting server behind a firewall that only allows access to the Talend Data Catalog server to minimize the risk of exploitation.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2023-33247

Affected Products

Talend Data Catalog

PT-2023-24242 · Talend · Talend Data Catalog

CVE-2023-33247

Weakness Enumeration

Related Identifiers

Affected Products

References · 4