CVE-2023-38334
Omnis Studio 10.22.00 Library Unlock
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Omnis Studio 10.22.00 has incorrect access control. It advertises an irreversible feature for locking classes within Omnis libraries: it should be no longer possible to delete, view, change, copy, rename, duplicate, or print a locked class. Due to implementation issues, locked classes in Omnis libraries can be unlocked, and thus further analyzed and modified by Omnis Studio. This allows for further analyzing and also deleting, viewing, changing, copying, renaming, duplicating, or printing previously locked Omnis classes. This violates the expected behavior of an "irreversible operation."
Omnis Studio version 10.22.00 suffers from a locked class bypass vulnerability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-07-14 CVE Reserved
- 2023-07-20 CVE Published
- 2024-10-24 CVE Updated
- 2024-10-24 First Exploit
- 2025-04-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-276: Incorrect Default Permissions
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2023/Jul/43 | Mailing List |
|
| https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-006.txt | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| http://packetstormsecurity.com/files/173696/Omnis-Studio-10.22.00-Library-Unlock.html | 2024-10-24 | |
| http://seclists.org/fulldisclosure/2023/Jul/42 | 2024-10-24 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|