CVE-2023-2852 Softmed CVE debrief

Who should care

Administrators, application owners, and security teams responsible for Softmed SelfPatron deployments, especially any instance running a version before 2.0. Web application and vulnerability management teams should also review exposed instances and associated database connectivity.

Technical summary

NVD describes CVE-2023-2852 as an improper neutralization of special elements used in an SQL command (CWE-89) in Softmed SelfPatron. The affected version range is all versions before 2.0. The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable issue with no authentication or user interaction required and high potential impact to confidentiality, integrity, and availability. A USOM advisory is referenced by NVD as supporting material.

Defensive priority

Urgent

Recommended defensive actions

• Identify all Softmed SelfPatron deployments in your environment and confirm whether any instance is running a version earlier than 2.0.
• Upgrade to SelfPatron 2.0 or later if that is the vendor-designated fixed version.
• If immediate upgrading is not possible, restrict network access to the application and reduce exposure to trusted networks only.
• Review application and database logs for unusual SQL query behavior or unexpected errors around SelfPatron endpoints.
• Use the referenced advisory and official CVE/NVD records to validate remediation status and any vendor-specific guidance.

Evidence notes

The supplied NVD metadata lists CVE-2023-2852 as a SQL injection in Softmedyazilim SelfPatron, affecting versions before 2.0, with CWE-89 and CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. NVD also references a USOM third-party advisory. No additional vendor patch bulletin or exploit details were included in the supplied corpus.

Official resources