Skip to main content

Hub CVE-2023-45823

HIGH
Path Traversal (CWE-22)
2023-10-19 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 19, 2023 - 21:15 nvd
HIGH 7.5

DescriptionNVD

Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects. During a security audit of Artifact Hub's code base a security researcher identified a bug in which by using symbolic links in certain kinds of repositories loaded into Artifact Hub, it was possible to read internal files. Artifact Hub indexes content from a variety of sources, including git repositories. When processing git based repositories, Artifact Hub clones the repository and, depending on the artifact kind, reads some files from it. During this process, in some cases, no validation was done to check if the file was a symbolic link. This made possible to read arbitrary files in the system, potentially leaking sensitive information. This issue has been resolved in version 1.16.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects. During a security audit of Artifact Hub's code base a security researcher identified a bug in which by using symbolic links in certain kinds of repositories loaded into Artifact Hub, it was possible to read internal files. Artifact Hub indexes content from a variety of sources, including git repositories. When processing git based repositories, Artifact Hub clones the repository and, depending on the artifact kind, reads some files from it. During this process, in some cases, no validation was done to check if the file was a symbolic link. This made possible to read arbitrary files in the system, potentially leaking sensitive information. This issue has been resolved in version 1.16.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Artifacthub Hub.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

More in Hub

View all
CVE-2025-65784 MEDIUM POC
6.5 Jan 13

Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-leve

CVE-2026-50242 CRITICAL
9.8 Jun 19

Authentication bypass in JetBrains Hub (the identity and account-management server behind TeamCity, YouTrack, and other

CVE-2026-56141 CRITICAL
9.8 Jun 19

Account takeover in JetBrains Hub is possible through predictable restore codes, affecting all versions prior to 2026.1.

CVE-2025-65783 CRITICAL
9.8 Jan 13

Hub v2.0 property management system allows unauthenticated arbitrary file upload via /utils/uploadFile. Malicious PDF fi

CVE-2022-25262 CRITICAL
9.8 Feb 25

In JetBrains Hub before 2022.1.14434, SAML request takeover was possible. Rated critical severity (CVSS 9.8), this vulne

CVE-2021-43183 CRITICAL
9.8 Nov 09

In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed. Rated critical severity

CVE-2021-36209 CRITICAL
9.8 Aug 06

In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset. Rated critical severity (CVSS

CVE-2026-25848 CRITICAL
9.1 Feb 09

JetBrains Hub before 2025.3.119807 has an authentication bypass allowing administrative actions without proper credentia

CVE-2022-25260 CRITICAL
9.1 Feb 25

JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF). Rated critical severity (C

CVE-2026-56142 HIGH
8.8 Jun 19

Privilege escalation in JetBrains Hub (versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024

CVE-2014-0177 LOW POC
3.6 May 27

The am function in lib/hub/commands.rb in hub before 1.12.1 allows local users to overwrite arbitrary files via a symlin

CVE-2022-45471 HIGH
7.5 Nov 18

In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address. Rated high

Share

CVE-2023-45823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy