PatchSiren cyber security CVE debrief
CVE-2023-2958 Origin Software CVE debrief
CVE-2023-2958 is a critical authorization bypass vulnerability in ATS Pro affecting versions before 20230714. The issue is described as a user-controlled key problem that can enable authentication abuse and authentication bypass. NVD assigns a CVSS 3.1 score of 9.8 with network access, low attack complexity, no privileges required, and no user interaction, which makes this a high-priority patching item.
- Vendor
- Origin Software
- Product
- ATS Pro
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-07-17
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-07-17
- Advisory updated
- 2024-11-21
Who should care
Administrators and security teams responsible for ATS Pro deployments, especially any instance exposed to untrusted networks or integrated into authentication-sensitive workflows. Organizations that rely on ATS Pro for access control, user management, or other protected functions should treat this as urgent.
Technical summary
The vulnerability is classified in the source corpus as an authorization bypass through a user-controlled key, with a third-party advisory mapping it to CWE-639. NVD lists the affected CPE as orjinyazilim:ats_pro for versions ending before 20230714. The reported impact is full confidentiality, integrity, and availability compromise potential under CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The source description names both authentication abuse and authentication bypass, so defensive review should focus on any code paths where a user-supplied key influences authorization decisions or object access.
Defensive priority
Critical. Patch or upgrade immediately, and assume any reachable deployment may be at risk until verified otherwise.
Recommended defensive actions
- Upgrade ATS Pro to version 20230714 or later, or apply the vendor-provided remediation if a direct upgrade is not yet possible.
- Inventory all ATS Pro instances and confirm which ones are internet-exposed or reachable from untrusted internal networks.
- Review authorization logic around any user-controlled keys, identifiers, or object lookups for improper access checks.
- Monitor logs for unexpected authentication successes, unusual account activity, or access to records that should be restricted.
- Temporarily reduce exposure by restricting network access to ATS Pro until remediation is complete.
- Validate that any compensating controls, such as reverse proxy rules or IAM policies, do not rely on client-supplied identifiers for authorization.
Evidence notes
The vulnerability details come from the NVD record and the linked USOM third-party advisory. The corpus includes a vendor/product naming mismatch in the human-readable description versus the CPE entry: the description says Origin Software ATS Pro, while the CPE evidence and vendor field identify orjinyazilim:ats_pro. The affected version boundary in NVD is versionEndExcluding 20230714. CWE-639 is cited in the third-party advisory metadata.
Official resources
-
CVE-2023-2958 CVE record
CVE.org
-
CVE-2023-2958 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed on 2023-07-17; NVD metadata was later modified on 2024-11-21.