Cyber Resilience

CVE-2023-22523

High

Published: 06 December 2023

Published
06 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0719 91.8th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22523 is a high-severity an unspecified weakness vulnerability in Atlassian Assets Discovery Data Center. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-22523 is a remote code execution vulnerability that exists in the communication path between the Assets Discovery application, formerly known as Insight Discovery, and the Assets Discovery agent. It affects any machine with the Assets Discovery agent installed and carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low attack complexity, and low required privileges.

An authenticated attacker can exploit the flaw over the network to obtain privileged remote code execution, resulting in complete loss of confidentiality, integrity, and availability on the targeted host.

Atlassian has published official security advisories and linked Jira entries that address the issue. The associated EPSS score has remained flat at a peak of 0.0719 since disclosure, indicating no material rise in observed exploitation interest.

EU & UK References

Vulnerability details

This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
assets discovery cloud
1.0.0 — 3.2.0
atlassian
assets discovery data center
1.0.0 — 3.1.11 · 6.0.0 — 6.2.0
atlassian
assets discovery data server
1.0.0 — 3.1.11 · 6.0.0 — 6.2.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References