Skip to the content.

DIVD-2023-00027 - Ignite Realtime Openfire auth bypass - CVE-2023-32315

Our reference DIVD-2023-00027
Case lead Hans Meuris
Researcher(s)
CVE(s)
Product Ignite Realtime Openfire
Versions
  • 3.10.0 <= 4.6.7 and 4.7.0 <= 4.7.4
Recommendation Update your system to the latest version
Workaround See vendor writeup: https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvmA
Status Closed
Last modified 12 Jun 2024 14:45 CEST

Summary

On the may 23th Ignite Realtime released a patch for CVE-2023-32315, which is an authentication bypass through a path traversal vulnerability in Ingnite realtime Openfire software. DIVD will scan and notify systems that haven’t installed the patch and are vulnerable for this CVE.

What you can do

What we are doing

Timeline

Date Description
23 Jun 2023 Started research
09 Jul 2023 publishing casefile
09 Jul 2023 fingerprint
09 Jul 2023 mailrun
06 Sep 2023 Case closed
gantt title DIVD-2023-00027 - Ignite Realtime Openfire auth bypass - CVE-2023-32315 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00027 - Ignite Realtime Openfire auth bypass - CVE-2023-32315 (75 days) :2023-06-23, 2023-09-06 section Events Started research : milestone, 2023-06-23, 0d publishing casefile : milestone, 2023-07-09, 0d fingerprint : milestone, 2023-07-09, 0d mailrun : milestone, 2023-07-09, 0d Case closed : milestone, 2023-09-06, 0d

More information