Improper Access Control in Devolutions Server Affects User Vaults
CVE-2023-2445

4.9MEDIUM

Key Information:

Vendor: Devolutions
Status: Devolutions Server
Vendor: CVE Published:; 2 May 2023

What is CVE-2023-2445?

A significant access control vulnerability exists in Devolutions Server 2023.1.1 and earlier, enabling attackers with administrative privileges to access sensitive usage information pertaining to folders within user vaults. This is achieved through the exploitation of the Subscriptions Folder path filter, allowing unauthorized retrieval of folder details using specific folder names.

Affected Version(s)

Devolutions Server Windows 0 <= 2023.1.1

References

https://devolutions.net/security/advisories/DEVO-2023-0013/

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 2, 2023
Vulnerability Reserved
May 1, 2023