Insufficient Validation on Override Codes for Always-Enabled WARP Mode
CVE-2023-3747

5.5MEDIUM

Key Information:

Vendor: Cloudflare
Status: Warp Client
Vendor: CVE Published:; 7 September 2023

What is CVE-2023-3747?

Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date & time on the local device where WARP is running.

Affected Version(s)

WARP Client Android 0 < 6.29

References

https://play.google.com/store/apps/details?id=com.cloudfl...

release-notes

https://developers.cloudflare.com/cloudflare-one/connecti...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 7, 2023
Vulnerability Reserved
Jul 18, 2023

Cloudflare

What is CVE-2023-3747?

Affected Version(s)

References

CVSS V3.1

Timeline