CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-30970 – Gotham table and Forward App Path traversal
https://notcve.org/view.php?id=CVE-2023-30970
Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system. Se descubrió que el servicio Gotham Table y Forward App eran vulnerables a un problema de path traversal que permitía a un usuario autenticado leer archivos arbitrarios en el sistema de archivos. • https://palantir.safebase.us/?tcuUid=69be99ef-ad24-4339-9017-c8bf70789c72 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-36: Absolute Path Traversal •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30961 – Palantir Gotham UI bug that could lead to incorrect data classification
https://notcve.org/view.php?id=CVE-2023-30961
Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link. Se descubrió que Palantir Gotham era vulnerable a un error en el que, en determinadas circunstancias, la interfaz podría haber aplicado una clasificación incorrecta a una propiedad o enlace recién creado. • https://palantir.safebase.us/?tcuUid=2755c49f-2c30-459e-8bdf-f95ef3692da4 • CWE-710: Improper Adherence to Coding Standards CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30962 – Stored XSS in cerberus attachments
https://notcve.org/view.php?id=CVE-2023-30962
The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users. This vulnerability is resolved in Cerberus 100.230704.0-27-g031dd58 . Se descubrió que el servicio Gotham Cerberus tenía una vulnerabilidad de Cross-Site Scripting (XSS) almacenado que podría haber permitido a un atacante con acceso a Gotham lanzar ataques contra otros usuarios. Esta vulnerabilidad se resuelve en Cerberus 100.230704.0-27-g031dd58. • https://palantir.safebase.us/?tcuUid=92dd599a-07e2-43a8-956a-9c9566794be0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-48306 – Gotham Chat IRC help does not validate hostnames in TLS certificates
https://notcve.org/view.php?id=CVE-2022-48306
Improper Validation of Certificate with Host Mismatch vulnerability in Gotham Chat IRC helper of Palantir Gotham allows A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to intercept, read, or modify network communications to and from the affected service. This issue affects: Palantir Palantir Gotham Chat IRC helper versions prior to 30221005.210011.9242. • https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-09.md • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27897 – Palantir Gotham included an endpoint that would log arbitrary sized zip files.
https://notcve.org/view.php?id=CVE-2022-27897
Palantir Gotham versions prior to 3.22.11.2 included an unauthenticated endpoint that would load portions of maliciously crafted zip files to memory. An attacker could repeatedly upload a malicious zip file, which would allow them to exhaust memory resources on the dispatch server. • https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-12.md • CWE-20: Improper Input Validation •