Skip to the content.

DIVD-2023-00027 - Ignite Realtime Openfire auth bypass - CVE-2023-32315

Our reference DIVD-2023-00027
Case lead Hans Meuris
Researcher(s)
CVE(s)
Product Ignite Realtime Openfire
Versions
  • 3.10.0 <= 4.6.7 and 4.7.0 <= 4.7.4
Recommendation Update your system to the latest version
Workaround See vendor writeup: https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvmA
Status Open
Last modified 12 Jul 2023 21:47

Summary

On the may 23th Ignite Realtime released a patch for CVE-2023-32315, which is an authentication bypass through a path traversal vulnerability in Ingnite realtime Openfire software. DIVD will scan and notify systems that haven’t installed the patch and are vulnerable for this CVE.

What you can do

What we are doing

Timeline

Date Description
23 Jun 2023 Started research
09 Jul 2023 publishing casefile
09 Jul 2023 fingerprint
09 Jul 2023 mailrun
gantt title DIVD-2023-00027 - Ignite Realtime Openfire auth bypass - CVE-2023-32315 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00027 - Ignite Realtime Openfire auth bypass - CVE-2023-32315 (still open) :2023-06-23, 2024-03-04 section Events Started research : milestone, 2023-06-23, 0d publishing casefile : milestone, 2023-07-09, 0d fingerprint : milestone, 2023-07-09, 0d mailrun : milestone, 2023-07-09, 0d

More information