Security Advisory 2023-05-15 Disputing NIST score for Concrete CMS CVE-2023-28473

Security Advisory 2023-05-15 Disputing NIST score for Concrete CMS CVE-2023-28473


May 15, 2023
by lisan

It recently came to our attention that the NIST misunderstood the likelihood and impact of a vulnerability that PortlandLabs, the founders and maintainers of the open source project Concrete CMS reported recently.

We are disputing NIST’s score of 9.8 for CVE-2023-28473. Our security team ranked this vulnerability 2.2 with vector https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N&version=3.1

The vulnerability reported by CVE-2023-28473 is that Concrete CMS prior to 9.2 compared an md5 hash with a user provided 'password' string to 'authenticate' jobs running using ==. Sometimes md5 generates hashes that match 0e999999999999999999999999999999 where the 9's are any digit. If you compare a hash like that to '0' with == , php will think the hash is scientific notation and consider them equivalent: https://3v4l.org/k8KZo

Please rest assured that Concrete CMS Editor/Administration Authentication is NOT affected by this vulnerability.

The jobs section of the CMS is the only part of the CMS vulnerable to this (highly unlikely) auth bypass vulnerability with the only attack vector being a previously created job potentially being started without authorization. Concrete CMS Jobs are scheduled automated tasks such checking for inactive users, sending scheduled email notifications, reindexing the search engine, refreshing the sitemap.xml file to improve SEO. More information about Concrete CMS jobs can be seen here: https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/jobs/automated-jobs

The potential impacts are

  • An existing job, created by an authorized individual, being run at an unapproved time
  • DOS potential if the job is run over and over

We calculate that only one in 350 million Concrete sites could potentially be affected. It would be very labor intensive for an attacker to find a single site that's vulnerable if one even ever existed.