CVE-2023-47246
Published: 10 November 2023
Summary
CVE-2023-47246 is a critical-severity Path Traversal (CWE-22) vulnerability in Sysaid Sysaid. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-47246 is a path traversal vulnerability, tracked under CWE-22, that affects SysAid On-Premise versions prior to 23.3.36. The flaw permits an attacker to write a file into the Tomcat webroot, which in turn enables arbitrary code execution on the affected server. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.
An unauthenticated remote attacker can exploit the issue to upload and execute malicious code, resulting in full compromise of the SysAid instance. The vulnerability was observed being exploited in the wild in November 2023, consistent with its high exploitation probability scores (current EPSS 0.9438, peak 0.9633).
Vendor advisories direct administrators to apply the latest On-Premise release, available via the documented installation files, and reference the 2023 security enhancements that address this exposure. The accompanying notification blog post outlines the remediation steps for on-premise deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-51378
Vulnerability details
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
- CWE(s)
- KEV Date Added
- 13 November 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the crafted directory-traversal input that allows an unauthenticated attacker to write an arbitrary JSP file into the Tomcat webroot.
Enforces access-control decisions on file-write operations so that unauthenticated remote requests cannot deposit executable content under the web application root.
Requires timely application of the vendor-supplied update to version 23.3.36 that eliminates the path-traversal flaw.