Authentication Bypass in CBIS/NCS Manager API by Nokia

CVE-2023-49564

What is CVE-2023-49564?

The CBIS/NCS Manager API by Nokia contains a vulnerability that allows an unauthenticated user to exploit an authentication bypass. This is achieved by sending a specially crafted HTTP header, enabling access to sensitive API functions without valid credentials. The flaw stems from a weak verification mechanism in the authentication implementation located in the Nginx Podman container on the CBIS/NCS Manager host machine. To reduce the risk associated with this vulnerability, it is advisable to restrict access to the management network through external firewall configurations.

References