CVE-2023-28504
Published: 29 March 2023
Summary
CVE-2023-28504 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Rocketsoftware Universe. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 contain a stack-based buffer overflow vulnerability tracked as CVE-2023-28504. The flaw, assigned CWE-120 and CWE-787, resides in the UniRPC server component and carries a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can send specially crafted network requests to trigger the overflow, resulting in arbitrary code execution with root privileges on the affected server. This grants complete control over the database environment, including the ability to read, modify, or delete data and potentially pivot to other systems.
Public advisories from Rapid7 detail that the vulnerabilities were fixed in the listed builds of UniData and UniVerse and recommend immediate upgrade of the UniRPC server to eliminate the buffer overflow exposure.
The associated EPSS score rose from a low baseline to a peak of 0.0514 before receding to the current value of 0.0196, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32174
Vulnerability details
Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from a stack-based buffer overflow that can lead to remote code execution as the root user.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.