Search criteria
2 vulnerabilities by appsanywhere
CVE-2023-41137 (GCVE-0-2023-41137)
Vulnerability from cvelistv5 – Published: 2023-11-09 15:07 – Updated: 2024-10-28 20:48
VLAI
Summary
Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server.
Severity
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AppsAnywhere | AppsAnywhere Client |
Affected:
1.4.0
Affected: 1.4.1 Affected: 1.5.1 Affected: 1.5.2 Affected: 1.6.0 Affected: 2.0.0 Unaffected: 1.6.1 Unaffected: 2.0.1 Unaffected: 2.2.0 |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:54:04.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "AppsAnywhere Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.0:*:*:*:*:windows:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.1:*:*:*:*:windows:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.4.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.1:*:*:*:*:windows:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.5.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.6.0:*:*:*:*:windows:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.6.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:2.0.0:*:*:*:*:windows:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "2.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.5.2"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:41:50.135678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T20:48:57.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AppsAnywhere Client",
"vendor": "AppsAnywhere",
"versions": [
{
"status": "affected",
"version": "1.4.0"
},
{
"status": "affected",
"version": "1.4.1"
},
{
"status": "affected",
"version": "1.5.1"
},
{
"status": "affected",
"version": "1.5.2"
},
{
"status": "affected",
"version": "1.6.0"
},
{
"status": "affected",
"version": "2.0.0"
},
{
"status": "unaffected",
"version": "1.6.1"
},
{
"status": "unaffected",
"version": "2.0.1"
},
{
"status": "unaffected",
"version": "2.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gaelan Steele"
}
],
"descriptions": [
{
"lang": "en",
"value": "Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-09T15:07:51.211Z",
"orgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae",
"shortName": "AppCheck"
},
"references": [
{
"name": "AppsAnywhere Security Advisory",
"url": "https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory"
}
],
"x_generator": {
"engine": "cveClient/1.0.14"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae",
"assignerShortName": "AppCheck",
"cveId": "CVE-2023-41137",
"datePublished": "2023-11-09T15:07:51.211Z",
"dateReserved": "2023-08-23T16:10:33.947Z",
"dateUpdated": "2024-10-28T20:48:57.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41138 (GCVE-0-2023-41138)
Vulnerability from cvelistv5 – Published: 2023-11-09 15:05 – Updated: 2024-09-04 13:38
VLAI
Summary
The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process.
Severity
7.5 (High)
CWE
- CWE-226 - Incorrect Privilege Assignment
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AppsAnywhere | AppsAnywhere Client |
Affected:
1.4.0
Affected: 1.4.1 Affected: 1.5.1 Affected: 1.5.2 Affected: 1.6.0 Affected: 2.0.0 Unaffected: 1.6.1 Unaffected: 2.0.1 Unaffected: 2.2.0 |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:54:02.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "AppsAnywhere Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.0:*:*:*:*:macos:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.1:*:*:*:*:macos:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.4.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.1:*:*:*:*:macos:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.5.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.2:*:*:*:*:macos:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.5.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:1.6.0:*:*:*:*:macos:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "1.6.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:appsanywhere:appsanywhere_client:2.0.0:*:*:*:*:macos:*:*"
],
"defaultStatus": "unknown",
"product": "appsanywhere_client",
"vendor": "appsanywhere",
"versions": [
{
"status": "affected",
"version": "2.0.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:35:31.902425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T13:38:11.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AppsAnywhere Client",
"vendor": "AppsAnywhere",
"versions": [
{
"status": "affected",
"version": "1.4.0"
},
{
"status": "affected",
"version": "1.4.1"
},
{
"status": "affected",
"version": "1.5.1"
},
{
"status": "affected",
"version": "1.5.2"
},
{
"status": "affected",
"version": "1.6.0"
},
{
"status": "affected",
"version": "2.0.0"
},
{
"status": "unaffected",
"version": "1.6.1"
},
{
"status": "unaffected",
"version": "2.0.1"
},
{
"status": "unaffected",
"version": "2.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gaelan Steele"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-226",
"description": "Incorrect Privilege Assignment",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-09T15:05:24.035Z",
"orgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae",
"shortName": "AppCheck"
},
"references": [
{
"name": "AppsAnywhere Security Advisory",
"url": "https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory"
}
],
"x_generator": {
"engine": "cveClient/1.0.14"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae",
"assignerShortName": "AppCheck",
"cveId": "CVE-2023-41138",
"datePublished": "2023-11-09T15:05:24.035Z",
"dateReserved": "2023-08-23T16:10:33.947Z",
"dateUpdated": "2024-09-04T13:38:11.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}