How severe is CVE-2023-2158?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2023-2158?

This is classified as CWE-321, which is a common weakness in software security.

CVE-2023-2158 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user. Score 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

Related Vulnerabilities

CVE-2016-4437

CRITICAL

CVSS:9.8(Critical)

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unsp...

CWE-3212016

CVE-2017-14021

CRITICAL

CVSS:9.8(Critical)

A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G v...

CWE-3212017

CVE-2018-0040

CRITICAL

CVSS:9.8(Critical)

Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized acc...

CWE-3212018

CVE-2019-19750

CRITICAL

CVSS:9.8(Critical)

minerstat msOS before 2019-10-23 does not have a unique SSH key for each instance of the product.

CWE-3212019

CVE-2019-19752

CRITICAL

CVSS:9.8(Critical)

nvOC through 3.2 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as o...

CWE-3212019

CVE-2020-6990

CRITICAL

CVSS:9.8(Critical)

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic ...

CWE-3212020