CVE-2023-2268 – CVE-2023-2268 is an information disclosure vuln... (How to Fix)

Q: What is the severity of CVE-2023-2268?

CVE-2023-2268 has a CVSS score of 7.1 (HIGH). CVE-2023-2268 is an information disclosure vulnerability in Plane version 0.7.1 that allows unauthenticated attackers to access all user files stored on the server. This affects any organization running the vulnerable Plane version, potentially exposing sensitive user data.

📋 TL;DR

CVE-2023-2268 is an information disclosure vulnerability in Plane version 0.7.1 that allows unauthenticated attackers to access all user files stored on the server. This affects any organization running the vulnerable Plane version, potentially exposing sensitive user data.

💻 Affected Systems

Products:

Plane

Versions: 0.7.1

Operating Systems: All platforms running Plane

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Plane version 0.7.1. Earlier versions may have different vulnerabilities.

📦 What is this software?

Plane by Plane

View all CVEs affecting Plane →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all user files including sensitive documents, credentials, and proprietary data leading to data breach, regulatory fines, and reputational damage.

🟠

Likely Case

Unauthorized access to user files containing business documents, personal information, and potentially sensitive configuration files.

🟢

If Mitigated

Limited exposure if files are encrypted at rest and access controls are properly implemented at the storage layer.

🌐 Internet-Facing: HIGH - Unauthenticated access means any internet-connected attacker can exploit this without credentials.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but requires network access to the Plane instance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is simple to exploit - attackers can directly access file endpoints without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.2 or later

Vendor Advisory: https://github.com/makeplane/plane/releases

Restart Required: Yes

Instructions:

1. Backup your Plane instance data. 2. Stop the Plane service. 3. Update to version 0.7.2 or later using your package manager or from GitHub releases. 4. Restart the Plane service. 5. Verify the fix is applied.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Plane instance using firewall rules

iptables -A INPUT -p tcp --dport [plane_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [plane_port] -j DROP

Reverse Proxy Authentication

all

Place Plane behind a reverse proxy with authentication requirements

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to Plane instance
Deploy a WAF or reverse proxy with authentication in front of the Plane instance

🔍 How to Verify

Check if Vulnerable:

Check if running Plane version 0.7.1 by accessing the web interface or checking package version

Check Version:

docker inspect plane | grep version or check package manager (apt list --installed | grep plane)

Verify Fix Applied:

Attempt to access user file endpoints without authentication - should return 401/403 errors

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to file endpoints
Multiple 200 responses to /api/files/* from unauthenticated users

Network Indicators:

Unusual file download patterns from unauthenticated IPs
High volume of requests to file endpoints

SIEM Query:

source="plane.log" AND (uri_path="/api/files/*" OR uri_path="/files/*") AND http_status=200 AND user="-"

📊 Metadata

CVE ID: CVE-2023-2268

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: July 15, 2023

Last Updated: November 21, 2024

🔗 References

https://fluidattacks.com/advisories/giardino/ Exploit,Third Party Advisory
https://github.com/makeplane/plane Product
https://fluidattacks.com/advisories/giardino/ Exploit,Third Party Advisory
https://github.com/makeplane/plane Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2268, you might also want to check these: