PT-2023-25657 · Prolion · Prolion Cryptospike
Published
2023-12-11
·
Updated
2023-12-13
·
CVE-2023-36654
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
ProLion CryptoSpike version 3.0.15P2
Description
The issue allows remote authenticated attackers to download host server SSH private keys associated with a Linux root user by injecting paths inside REST API endpoint parameters, specifically in the log-download endpoint.
Recommendations
For ProLion CryptoSpike version 3.0.15P2, consider disabling access to the log-download REST API endpoint until a patch is available to prevent potential exploitation. Restrict access to the SSH private keys to minimize the risk of unauthorized access.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Prolion Cryptospike