Cyber Resilience

CVE-2023-0744

CriticalPublic PoC

Published: 08 February 2023

Published
08 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0852 92.6th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0744 is a critical-severity Improper Access Control (CWE-284) vulnerability in Answer Answer. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-0744 is an improper access control vulnerability, tracked under CWE-284, that affects the answerdev/answer open-source project prior to version 1.0.4. The flaw resides in the web application’s authorization logic and carries a CVSS 3.1 base score of 9.8, reflecting network-exploitable conditions that require no authentication or user interaction.

An unauthenticated remote attacker can exploit the weakness to perform account takeover, gaining full read, write, and administrative control over affected Answer instances. Public proof-of-concept material on PacketStorm demonstrates how the missing access checks can be abused to hijack user accounts without credentials.

The project maintainers addressed the issue in commit c1fa2b13f6b547b96da60b23350bbe2b29de542d; upgrading to release 1.0.4 or later closes the authorization bypass. The associated huntr.dev report and the same commit link serve as the authoritative patch references.

EPSS for the CVE rose from lower values to a peak of 0.1319 before receding to the current 0.0852, indicating measurable post-disclosure exploitation interest that later subsided.

EU & UK References

Vulnerability details

Improper Access Control in GitHub repository answerdev/answer prior to 1.0.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

answer
answer
≤ 1.0.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

addresses: CWE-284

Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.

addresses: CWE-284

Supervision and review of access control activities directly detects and remediates improper access configurations or usages.

addresses: CWE-284

Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.

addresses: CWE-284

By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.

addresses: CWE-284

Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.

addresses: CWE-284

Requiring prior authorization for each remote access type prevents improper access control over remote connections.

addresses: CWE-284

Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.

References