CVE-2023-6910: Uncontrolled Resource Consumption in M-Files Server

DESCRIPTION

A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests.

AFFECTED PRODUCTS

M-Files Server before 23.12.13195.0

M-Files Server before 23.2 LTS SR6 (this service release is not affected)

M-Files Server before 23.8 LTS SR4 (this service release is not affected)

MORE INFORMATION

Exploiting the vulnerability requires authentication or anonymous authentication to be enabled in an M-Files vault.

CVSS 3.1 Base Score: 6.5

CVSS 3.1 Temporal Score: 5.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C

CWE: CWE-770 Allocation of Resources Without Limits or Throttling

CAPEC: CAPEC-130: Excessive Allocation

Internal ID: 167985

Date issued: 2023-12-18

EXPLOITABILITY

Publicly disclosed: No

Exploited: No

Propability of exploitation: low – internally found

LINKS

https://www.cve.org/CVERecord?id=CVE-2023-6910

HISTORY

2023-12-18 Published
2024-01-30 Affected products updated
2024-08-28 CWE Updated

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X