{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-48294","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2023-11-14T17:41:15.570Z","datePublished":"2023-11-17T21:12:59.642Z","dateUpdated":"2024-08-02T21:23:39.485Z"},"containers":{"cna":{"title":"Broken Access control on Graphs Feature in LibreNMS","problemTypes":[{"descriptions":[{"cweId":"CWE-200","lang":"en","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/librenms/librenms/security/advisories/GHSA-fpq5-4vwm-78x4","tags":["x_refsource_CONFIRM"],"url":"https://github.com/librenms/librenms/security/advisories/GHSA-fpq5-4vwm-78x4"},{"name":"https://github.com/librenms/librenms/commit/489978a923ed52aa243d3419889ca298a8a6a7cf","tags":["x_refsource_MISC"],"url":"https://github.com/librenms/librenms/commit/489978a923ed52aa243d3419889ca298a8a6a7cf"},{"name":"https://github.com/librenms/librenms/blob/fa93034edd40c130c2ff00667ca2498d84be6e69/html/graph.php#L19C1-L25C2","tags":["x_refsource_MISC"],"url":"https://github.com/librenms/librenms/blob/fa93034edd40c130c2ff00667ca2498d84be6e69/html/graph.php#L19C1-L25C2"}],"affected":[{"vendor":"librenms","product":"librenms","versions":[{"version":"< 23.11.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-11-17T21:12:59.642Z"},"descriptions":[{"lang":"en","value":"LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. In affected versions of LibreNMS when a user accesses their device dashboard, one request is sent to `graph.php` to access graphs generated on the particular Device. This request can be accessed by a low privilege user and they can enumerate devices on librenms with their id or hostname. Leveraging this vulnerability a low privilege user can see all devices registered by admin users. This vulnerability has been addressed in commit `489978a923` which has been included in release version 23.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}],"source":{"advisory":"GHSA-fpq5-4vwm-78x4","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T21:23:39.485Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/librenms/librenms/security/advisories/GHSA-fpq5-4vwm-78x4","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/librenms/librenms/security/advisories/GHSA-fpq5-4vwm-78x4"},{"name":"https://github.com/librenms/librenms/commit/489978a923ed52aa243d3419889ca298a8a6a7cf","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/librenms/librenms/commit/489978a923ed52aa243d3419889ca298a8a6a7cf"},{"name":"https://github.com/librenms/librenms/blob/fa93034edd40c130c2ff00667ca2498d84be6e69/html/graph.php#L19C1-L25C2","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/librenms/librenms/blob/fa93034edd40c130c2ff00667ca2498d84be6e69/html/graph.php#L19C1-L25C2"}]}]}}