How severe is CVE-2023-42454?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2023-42454?

This is classified as CWE-200, which is a common weakness in software security.

CVE-2023-42454 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly, with a database connection string specified in the `sqlpage/sqlpage.json` configuration file (not in an environment variable), with the web_root is the current working directory (the default), and with their database exposed publicly, is vulnerable to an attacker retrieving database connection information from SQLPage and using it to connect to their database directly. Version 0.11.0 fixes this issue. Some workarounds are available. Using an environment variable instead of the configuration file to specify the database connection string prevents exposing it on vulnerable versions. Using a different web root (that is not a parent of the SQLPage configuration directory) fixes the issue. One should also avoid exposing one's database publicly.

Related Vulnerabilities

CVE-2010-2783

CRITICAL

CVSS:9.1(Critical)

IcedTea6 before 1.7.4 allow unsigned apps to read and write arbitrary files, related to Extended JNLP Services.

CWE-2002010

CVE-2015-2254

CRITICAL

CVSS:9.1(Critical)

Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to capture and change patch loading information resulting in the deletion of directory files and compro...

CWE-2002015

CVE-2015-5041

CRITICAL

CVSS:9.1(Critical)

The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR9 FP30, and 7 R1 before SR3 FP30 allows remote attackers to obtain sensitive information or inject d...

CWE-2002015

CVE-2016-0903

CRITICAL

CVSS:9.1(Critical)

Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 rely on client-side authentication, which allows remote attackers to spoof clients and read backup data v...

CWE-2002016

CVE-2016-3312

CRITICAL

CVSS:9.1(Critical)

ActiveSyncProvider in Microsoft Windows 10 Gold and 1511 allows attackers to discover credentials by leveraging failure of Universal Outlook to obtain a secure connection, aka "Universal Outlook Infor...

CWE-2002016

CVE-2017-0879

CRITICAL

CVSS:9.1(Critical)

An information disclosure vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-65025028.

CWE-2002017