Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-32315
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Openfire administration console authentication bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Ignite Realtime Openfire 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Ignite Realtime Openfire是Ignite Realtime社区的一款采用Java开发且基于XMPP(前称Jabber,即时通讯协议)的跨平台开源实时协作(RTC)服务器。它能够构建高效率的即时通信服务器,并支持上万并发用户数量。 Ignite Realtime Openfire 存在安全漏洞,该漏洞源于允许未经身份验证的用户在已配置的 Openfire 环境中使用未经身份验证的 Openfire 设置环境,以访问为管理用户保留的 Openfire 管理控制台中的受限页面,以下产品和版
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
igniterealtimeOpenfire >= 3.10.0, < 4.6.8 -
II. Public POCs for CVE-2023-32315
#POC DescriptionSource LinkShenlong Link
1Nonehttps://github.com/ohnonoyesyes/CVE-2023-32315POC Details
2rcehttps://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-BypassPOC Details
3Nonehttps://github.com/5rGJ5aCh5oCq5YW9/CVE-2023-32315expPOC Details
4Openfire Console Authentication Bypass Vulnerability with RCE pluginhttps://github.com/miko550/CVE-2023-32315POC Details
5Perform With Massive Openfire Unauthenticated Usershttps://github.com/ThatNotEasy/CVE-2023-32315POC Details
6CVE-2023-32315-Openfire-Bypasshttps://github.com/izzz0/CVE-2023-32315-POCPOC Details
7Tool for CVE-2023-32315 exploitationhttps://github.com/gibran-abdillah/CVE-2023-32315POC Details
8Openfire未授权到RCE(CVE-2023-32315)复现https://github.com/CN016/Openfire-RCE-CVE-2023-32315-POC Details
9A PoC exploit for CVE-2023-32315 - Openfire Authentication Bypasshttps://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOITPOC Details
10Nonehttps://github.com/bryanqb07/CVE-2023-32315POC Details
11Nonehttps://github.com/asepsaepdin/CVE-2023-32315POC Details
12Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-32315.yamlPOC Details
13Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Openfire%E7%AE%A1%E7%90%86%E5%90%8E%E5%8F%B0%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2023-32315.mdPOC Details
14https://github.com/vulhub/vulhub/blob/master/openfire/CVE-2023-32315/README.mdPOC Details
15Nonehttps://github.com/pulentoski/Explotacion-CVE-2023-32315-OpenfirePOC Details
16CVE-2023-32315(java7)https://github.com/shiyingzhencai/CVE-2023-32315-java7-POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2023-32315
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: Openfire
Same vendor: igniterealtime
Same weakness: CWE-22
V. Comments for CVE-2023-32315

No comments yet

Leave a comment