CVE-2023-26469
Published: 17 August 2023
Summary
CVE-2023-26469 is a critical-severity Path Traversal (CWE-22) vulnerability in Jorani Jorani. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-26469 is a path traversal vulnerability (CWE-22) affecting Jorani version 1.0.0. The flaw permits an attacker to traverse directories and access arbitrary files on the server, which can be leveraged to execute code remotely. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
Unauthenticated remote attackers can exploit the issue over the network to read sensitive files and achieve full code execution on the affected Jorani instance, resulting in complete confidentiality, integrity, and availability impact.
Public references include a working remote code execution exploit published on Packet Storm and additional technical details hosted in the Orange Cyberdefense CVE repository; the Jorani project site documents general security features but does not describe a specific patch or mitigation for this CVE.
The EPSS score currently stands at 0.9302 with a recorded peak of 0.9573, indicating sustained high exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30288
Vulnerability details
In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.