PatchSiren cyber security CVE debrief
CVE-2023-3374 Unisign CVE debrief
CVE-2023-3374 is a critical Bookreen vulnerability described as an incomplete list of disallowed inputs that can result in privilege escalation. The affected version range in NVD is all Bookreen versions before 3.0.0. The NVD CVSS v3.1 vector indicates network attackability with no privileges required and no user interaction, and the impact is rated high for confidentiality, integrity, and availability. Because the source corpus is limited, the exact abuse path is not described here; however, the record clearly indicates that upgrading to 3.0.0 or later is the relevant remediation boundary.
- Vendor
- Unisign
- Product
- Bookreen
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-09-05
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-09-05
- Advisory updated
- 2024-11-21
Who should care
Bookreen administrators, operators, and security teams responsible for systems running Bookreen before 3.0.0 should treat this as high priority. Any environment where Bookreen is exposed to network access should be reviewed promptly, especially if privilege boundaries matter for tenant, admin, or backend access.
Technical summary
NVD describes the issue as an incomplete list of disallowed inputs in Bookreen, mapped to CWE-184 and NVD-CWE-Other. The vulnerable CPE entry covers bookreen:bookreen versions earlier than 3.0.0. NVD’s CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network-reachable flaw that does not require prior authentication or user interaction and can have severe CIA impact. The supporting advisory reference is the USOM bulletin tr-23-0489.
Defensive priority
High. The combination of critical CVSS, no authentication requirement, and version-wide exposure before 3.0.0 makes this a priority remediation item for any Bookreen deployment that has not been upgraded.
Recommended defensive actions
- Upgrade Bookreen to version 3.0.0 or later, as the NVD vulnerable range ends before 3.0.0.
- Inventory all environments that run Bookreen and verify the installed version rather than assuming patches were applied.
- If immediate upgrade is not possible, restrict network access to Bookreen as a compensating control and review any exposed administrative paths.
- Check for unexpected privilege changes, new accounts, or authorization anomalies in systems running affected versions.
- Use the official NVD and CVE record, plus the USOM advisory, to track any vendor guidance or additional remediation notes.
Evidence notes
This debrief is based on the official CVE/NVD record and the linked USOM third-party advisory. The supplied corpus states: affected Bookreen versions are before 3.0.0; the issue is an incomplete list of disallowed inputs; and the consequence is privilege escalation. NVD also supplies the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and weakness mappings CWE-184 and NVD-CWE-Other. No exploit details or unsupported attack narrative are included here.
Official resources
-
CVE-2023-3374 CVE record
CVE.org
-
CVE-2023-3374 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE published on 2023-09-05 and modified on 2024-11-21. The supplied record does not include a separate vendor disclosure date.