Vulnerabilities > CVE-2023-1975 - Information Exposure Through Sent Data vulnerability in Answer

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
answer
CWE-201

Summary

Insertion of Sensitive Information Into Sent Data in GitHub repository answerdev/answer prior to 1.0.8.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Choosing a Message/Channel Identifier on a Public/Multicast Channel
    Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initially. Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command.
  • Exploiting Incorrectly Configured SSL Security Levels
    An attacker may take advantage of a setting in SSL that allows for weaknesses within that setting to be exploited to gain access to data intended to be encrypted, or injection commands or other traffic into the encrypted stream to cause compromise of either the client or server.