CVE-2023-30946Authentication Bypass Using an Alternate Path or Channel in Com.palantir.issues Issues

CWE-288Authentication Bypass Using an Alternate Path or ChannelCWE-420Unprotected Alternate Channel3 documents3 sources
Severity
4.3MEDIUMNVD
CNA3.5
EPSS
0.4%
top 42.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Palantir Com.palantir.issues IssuesPalantir Foundry Issues
Timeline
PublishedJun 29

Description

A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5palantir/com.palantir.issues_issues*2.497.0

🔴Vulnerability Details

2
CVEList
Issues notification metadata lacks authorization2023-06-29
GHSA
GHSA-63fq-r3mp-fpcf: A security defect was identified in Foundry Issues2023-06-29
CVE-2023-30946 — MEDIUM severity | cvebase