Miggo Logo

CVE-2023-22738: vantage6 vulnerable to Improper Preservation of Permissions

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.2976%
Published
2/28/2023
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
vantage6pip< 3.8.03.8.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows removal of organization_id handling from the UserResource.patch method. The vulnerable version contained logic to process organization_id parameter updates and modify user.organization_id without permission revocation. This directly enabled the improper permission preservation described in CVE-2023-22738.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ssi*nin* *xistin* us*rs to * *i***r*nt or**niz*tion is *urr*ntly possi*l*. It m*y l*** to unint*n*** ****ss: i* * us*r *rom or**niz*tion * is ***i**nt*lly *ssi*n** to or**niz*tion *, t**y will r*t*in t**ir p*rmissions *n* t**r**or* mi**t

Reasoning

T** *ommit *i** s*ows r*mov*l o* or**niz*tion_i* **n*lin* *rom t** Us*rR*sour**.p*t** m*t*o*. T** vuln*r**l* v*rsion *ont*in** lo*i* to pro**ss or**niz*tion_i* p*r*m*t*r up**t*s *n* mo*i*y us*r.or**niz*tion_i* wit*out p*rmission r*vo**tion. T*is *ir*