CVE-2023-6239: Incorrect calculation of effective permissions

DESCRIPTION:

Rare issue, where the calculation of effective permissions could produce a faulty result if an object used a specific configuration of metadata-driven permissions.

AFFECTED PRODUCTS:

M-Files Server 23.9

M-Files Server 23.10

M-Files Server 23.11 versions prior to 23.11.13168.7

MORE INFORMATION:

Fixed in 23.11 Service Release 1 (version 23.11.13168.7). Updated to cloud servers during maintenance break on November 26th.

CVSS 3.1 Base Score: 5.4

CVSS 3.1 Temporal Score: N/A

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-281 Improper Preservation of Permissions

CAPEC: CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels

Internal ID: 169036

Date issued: 2023-11-21

EXPLOITABILITY

Publicly disclosed: No

Exploited: Unknown

Propability of exploitation: low - responsibly reported

LINKS

https://www.cve.org/CVERecord?id=CVE-2023-6239

https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6239/

HISTORY

2023-11-28 Published

Priority:

Critical*