=====================================================================

                             CERT-Renater

                   Note d'Information No. 2023/VULN302

_____________________________________________________________________

DATE                : 07/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Serv-U versions 15.4 prior to
                                         15.4 HF2.

=====================================================================
https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40060
_____________________________________________________________________

MFA/2FA Bypass Vulnerability in Serv-U 15.4: Serv-U 15.4 and
15.4 HF1 (CVE-2023-40060)


Summary

A vulnerability has been identified within Serv-U 15.4 that, if
exploited, allows an actor to bypass multi-factor/two-factor
authentication. The actor must have administrator-level access
to Serv-U to perform this action. The previous vulnerability
(CVE-2023-35179) was not completely resolved in 15.4 Hotfix 1.


Affected Products

     Serv-U 15.4 HF1 and earlier


Fixed Software Release

     Serv-U 15.4 HF2


Advisory Details


Severity
6.6 Medium


Advisory ID

CVE-2023-40060

First Published
08/30/2023

Last Updated
08/30/2023


Fixed Version

Serv-U 15.4 HF2


CVSS Score

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================