CRITICAL🇵🇱 Wersja polska

CVE-2023-37234

CVSS 9.8v3.1pub. 2024-09-10upd. 2024-09-18

Loftware Spectrum through 4.6 has unprotected JMX Registry.

🤖 AI Analysis
How it works

JMX is a mechanism for managing Java applications that enables monitoring and control of components of a running process. In Loftware Spectrum, the JMX registry is accessible without requiring authentication, which means that anyone with network access to the server can connect to this registry. An attacker can use this to perform management operations, inject code, or manipulate the running application process. The lack of access control (CWE-284) causes the application's security boundary to be effectively bypassed.

Impact

An unauthenticated remote attacker can gain full control over the Loftware Spectrum instance, potentially leading to disclosure of confidential data, modification of configuration, or execution of arbitrary code on the server (RCE).

Mitigation & patch

Patches available from the vendor should be applied according to the references. As a temporary measure, it is recommended to restrict network access to JMX registry ports exclusively to trusted hosts using a firewall, and to enable authentication and SSL/TLS encryption for JMX connections.

Who is affected

Loftware Spectrum in versions up to and including 4.6

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Loftware Spectrum

    APP
    Loftware
    ≤ 4.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-37231CRITICAL9.8PL ✓ten sam produkt

Loftware Spectrum — zakodowane na stałe hasło (Hard-coded Password)

CVE-2023-37227CRITICAL9.8PL ✓ten sam produkt

Niebezpieczna deserializacja danych w Loftware Spectrum przed wersją 4.6 HF13

CVE-2023-37226CRITICAL9.8PL ✓ten sam produkt

Loftware Spectrum — brak uwierzytelnienia dla krytycznej funkcji (Auth Bypass)

CVE-2023-37233HIGH8.8ten sam produkt

Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks.

CVE-2023-37230HIGH8.8ten sam produkt

Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF.