CVE-2023-0391
CVSS V2 None
CVSS V3 None
Description
MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1.
Overview
- CVE ID
- CVE-2023-0391
- Assigner
- cve@rapid7.con
- Vulnerability Status
- Analyzed
- Published Version
- 2023-03-21T20:15:11
- Last Modified Date
- 2023-03-27T22:21:40
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:mgt-commerce:cloudpanel:*:*:*:*:*:*:*:* | 1 | OR | 2.2.1 |
References
| Reference URL | Reference Tags |
|---|---|
| https://www.bleepingcomputer.com/news/security/cloudpanel-installations-use-the-same-ssl-certificate-private-key/ | Exploit Press/Media Coverage Third Party Advisory |
| https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-cloudpanel-shared-certificate-vulnerability-and-weak-installation-procedures/ | Exploit Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-0391 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0391 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-17 03:03:56 | Added to TrackCVE | |||
| 2023-04-17 03:03:58 | Weakness Enumeration | new |