CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30946 – Issues notification metadata lacks authorization
https://notcve.org/view.php?id=CVE-2023-30946
A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue. • https://palantir.safebase.us/?tcuUid=4cf0b6e6-564a-467b-83ae-36fec3a491c3 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-420: Unprotected Alternate Channel •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30955 – Foundry workspace-server Developer Mode Authorization Bypass
https://notcve.org/view.php?id=CVE-2023-30955
A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0. • https://palantir.safebase.us/?tcuUid=0c3f6c33-4eb0-48b5-ab87-fe48c46a4170 • CWE-602: Client-Side Enforcement of Server-Side Security CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22834 – The contour service was not checking that users had permission to create an analysis for a given dataset
https://notcve.org/view.php?id=CVE-2023-22834
The Contour Service was not checking that users had permission to create an analysis for a given dataset. This could allow an attacker to clutter up Compass folders with extraneous analyses, that the attacker would otherwise not have permission to create. Contour Service no comprobaba que los usuarios tuvieran permiso para crear un análisis para un conjunto de datos determinado. Esto podría permitir a un atacante saturar las carpetas de Compass con análisis extraños que, de otro modo, no tendría permiso para crear. • https://palantir.safebase.us/?tcuUid=14874400-e9c9-4ac4-a8a6-9f4c48a56ff8 • CWE-425: Direct Request ('Forced Browsing') CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30945 – CVE-2023-30945
https://notcve.org/view.php?id=CVE-2023-30945
Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well. • https://palantir.safebase.us/?tcuUid=e62e4dad-b39b-48ba-ba30-7b7c83406ad9 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-287: Improper Authentication •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22833 – Mandatory control bypass in Lime2
https://notcve.org/view.php?id=CVE-2023-22833
Palantir Foundry deployments running Lime2 versions between 2.519.0 and 2.532.0 were vulnerable a bug that allowed authenticated users within a Foundry organization to bypass discretionary or mandatory access controls under certain circumstances. • https://palantir.safebase.us/?tcuUid=7f1fd834-805d-4679-85d0-9d779fa064ae • CWE-304: Missing Critical Step in Authentication CWE-863: Incorrect Authorization •