CVE-2023-32315
Published: 26 May 2023
Summary
CVE-2023-32315 is a high-severity Path Traversal (CWE-22) vulnerability in Igniterealtime Openfire. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Openfire, an open-source XMPP server, contains a path traversal vulnerability in its web-based administrative console that stems from improper handling of the setup environment. The flaw, tracked as CWE-22, affects every release from version 3.10.0 onward and permits an unauthenticated remote attacker to reach administrative pages that should be restricted after initial configuration.
An attacker can leverage the still-accessible setup flow on an already-configured instance to bypass authentication checks, view or modify sensitive console resources, and ultimately obtain administrative control of the server. The CVSS 3.1 score of 8.6 reflects the combination of network accessibility, lack of required credentials, and the resulting confidentiality, integrity, and availability impact.
The GitHub Security Advisory GHSA-gw42-f939-fhvm and vendor releases 4.7.5 and 4.6.8 contain patches that close the traversal vector, with additional hardening planned for the forthcoming 4.8.0 branch. Administrators unable to upgrade immediately are directed to the advisory for temporary configuration work-arounds.
The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, and its EPSS score has remained consistently high, peaking at 0.9741, indicating sustained exploitation interest following disclosure. Public exploit code referencing both authentication bypass and remote code execution has also been published.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1548
Vulnerability details
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the…
more
unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
- CWE(s)
- KEV Date Added
- 24 August 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access restrictions on administrative console pages, directly blocking the path-traversal bypass that grants unauthenticated access to restricted setup functionality.
Requires validation of user-supplied path and URL input in the setup environment, preventing the directory traversal sequences that enable the authentication bypass.
Mandates timely application of vendor patches (Openfire 4.7.5/4.6.8) that eliminate the path-traversal flaw in the unauthenticated setup code.