CVE-2023-34600
Published: 20 June 2023
Summary
CVE-2023-34600 is a critical-severity SQL Injection (CWE-89) vulnerability in Adiscon Loganalyzer. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Adiscon LogAnalyzer versions 4.1.13 and earlier contain a SQL injection vulnerability tracked as CVE-2023-34600 and assigned CWE-89. The flaw received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low attack complexity, and no required privileges or user interaction, resulting in high impact to confidentiality, integrity, and availability.
Remote unauthenticated attackers can supply crafted input to backend database queries and thereby read, modify, or delete arbitrary data, or potentially execute operating-system commands depending on database configuration and privileges. Successful exploitation grants complete control over the log data and the underlying database instance.
The EPSS score for this CVE currently stands at 0.5827, equal to its observed peak, indicating sustained but not sharply increasing exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-38655
Vulnerability details
Adiscon LogAnalyzer v4.1.13 and before is vulnerable to SQL Injection.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.