Lucene search

GoogleOSV:GHSA-RX62-5CW6-X29Q

HistoryJun 18, 2023 - 9:30 a.m.

Whaleal IceFrog is vulnerable to deserialization

2023-06-1809:30:17

Google

osv.dev

whaleal icefrog

v1.1.8

aviator template engine

deserialization vulnerability

untrusted data

software

CVSS2

5.2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.009

Percentile

82.4%

JSON

Whaleal IceFrog v1.1.8 component Aviator Template Engine is vulnerable to deserialization of untrusted data. The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

github.com/NanKeXXX/selfVuln_poc/blob/main/whaleal%3Aicefrog/icefrog_1.1.8_RCE.md

github.com/NanKeXXX/selfVuln_poc/blob/main/whaleal:icefrog/icefrog_1.1.8_RCE.md

github.com/whaleal/icefrog

nvd.nist.gov/vuln/detail/CVE-2023-3308

vuldb.com/?ctiid.231804

vuldb.com/?id.231804

CVSS2

5.2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.009

Percentile

82.4%

JSON

Related for OSV:GHSA-RX62-5CW6-X29Q