Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-30946

Summary
Assigner-Palantir
Assigner Org ID-bbcbe11d-db20-4bc2-8a6e-c79f87041fd4
Published At-29 Jun, 2023 | 18:49
Updated At-28 Oct, 2024 | 13:03
Rejected At-
Credits

Issues notification metadata lacks authorization

A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Palantir
Assigner Org ID:bbcbe11d-db20-4bc2-8a6e-c79f87041fd4
Published At:29 Jun, 2023 | 18:49
Updated At:28 Oct, 2024 | 13:03
Rejected At:
▼CVE Numbering Authority (CNA)
Issues notification metadata lacks authorization

A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.

Affected Products
Vendor
Palantir
Product
com.palantir.issues:issues
Versions
Affected
  • From * before 2.497.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-420The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
CWECWE-288A product requires authentication, but the product has an alternate path or channel that does not require authentication.
Type: CWE
CWE ID: CWE-420
Description: The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
Type: CWE
CWE ID: CWE-288
Description: A product requires authentication, but the product has an alternate path or channel that does not require authentication.
Metrics
VersionBase scoreBase severityVector
3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-115An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC ID: CAPEC-115
Description: An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://palantir.safebase.us/?tcuUid=4cf0b6e6-564a-467b-83ae-36fec3a491c3
N/A
Hyperlink: https://palantir.safebase.us/?tcuUid=4cf0b6e6-564a-467b-83ae-36fec3a491c3
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://palantir.safebase.us/?tcuUid=4cf0b6e6-564a-467b-83ae-36fec3a491c3
x_transferred
Hyperlink: https://palantir.safebase.us/?tcuUid=4cf0b6e6-564a-467b-83ae-36fec3a491c3
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve-coordination@palantir.com
Published At:29 Jun, 2023 | 19:15
Updated At:07 Nov, 2023 | 04:14

A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Secondary3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CPE Matches
palantir
palantir
>>foundry_issues>>Versions before 2.497.0(exclusive)
cpe:2.3:a:palantir:foundry_issues:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-OtherPrimarynvd@nist.gov
CWE-288Secondarycve-coordination@palantir.com
CWE-420Secondarycve-coordination@palantir.com
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-288
Type: Secondary
Source: cve-coordination@palantir.com
CWE ID: CWE-420
Type: Secondary
Source: cve-coordination@palantir.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://palantir.safebase.us/?tcuUid=4cf0b6e6-564a-467b-83ae-36fec3a491c3cve-coordination@palantir.com
Vendor Advisory
Hyperlink: https://palantir.safebase.us/?tcuUid=4cf0b6e6-564a-467b-83ae-36fec3a491c3
Source: cve-coordination@palantir.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2023-22836
Matching Score-8
Assigner-Palantir Technologies
ShareView Details
Matching Score-8
Assigner-Palantir Technologies
CVSS Score-3.5||LOW
EPSS-0.06% / 17.32%
||
7 Day CHG~0.00%
Published-29 Jan, 2024 | 18:50
Updated-17 Jun, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
In cases where a multi-tenant stack user is operating Foundry’s Linter service, and the user changes the linter name from the default value, the renamed value may be visible to the rest of the stack’s tenants.

In cases where a multi-tenant stack user is operating Foundry’s Linter service, and the user changes a group name from the default value, the renamed value may be visible to the rest of the stack’s tenants.

Action-Not Available
Vendor-guardiansoftPalantir
Product-guardiancom.palantir.skywise:guardian
CWE ID-CWE-862
Missing Authorization
CVE-2023-30960
Matching Score-8
Assigner-Palantir Technologies
ShareView Details
Matching Score-8
Assigner-Palantir Technologies
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.62%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 21:05
Updated-23 Oct, 2024 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Direct Object Reference (IDOR) in Foundry job-tracker

A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required.

Action-Not Available
Vendor-palantirPalantir
Product-foundry_job-trackercom.palantir.foundry.jobtracker:job-tracker
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-30955
Matching Score-8
Assigner-Palantir Technologies
ShareView Details
Matching Score-8
Assigner-Palantir Technologies
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.74%
||
7 Day CHG~0.00%
Published-29 Jun, 2023 | 18:46
Updated-28 Oct, 2024 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foundry workspace-server Developer Mode Authorization Bypass

A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.

Action-Not Available
Vendor-palantirPalantir
Product-foundry_workspace-servercom.palantir.workspace:workspace
CWE ID-CWE-602
Client-Side Enforcement of Server-Side Security
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-32357
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.72%
||
7 Day CHG~0.00%
Published-05 Apr, 2025 | 00:00
Updated-15 Apr, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for.

Action-Not Available
Vendor-zammadZammad
Product-zammadZammad
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
Details not found