PatchSiren cyber security CVE debrief
CVE-2023-3377 Veribilim Software Computer CVE debrief
CVE-2023-3377 is a critical SQL injection vulnerability in Veribase. The CVE description says the issue affects Veribase through 2023-11-23 and notes that the vendor was contacted early but did not respond. Based on the CVSS vector, the issue is network-reachable, requires no privileges or user interaction, and can have high impacts to confidentiality, integrity, and availability.
- Vendor
- Veribilim Software Computer
- Product
- Veribase
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-11-23
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-11-23
- Advisory updated
- 2024-11-21
Who should care
Organizations running Veribase, especially any instance exposed to untrusted networks. Security teams, application owners, database administrators, and incident responders should treat this as urgent because the vulnerability is remotely reachable and rated 9.8 CVSS.
Technical summary
NVD records CVE-2023-3377 as an SQL injection issue in Veribase with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-89. The affected CPE entry marks veribase:veribase as vulnerable through version 2023-11-23 inclusive. The corpus does not include a vendor fix or workaround statement, and the disclosure text says the vendor did not respond to early contact.
Defensive priority
Immediate. This is a critical, unauthenticated, remotely exploitable database-injection issue with full impact potential.
Recommended defensive actions
- Identify every Veribase deployment in your environment, including externally reachable and internal-only instances.
- Prioritize patching or upgrading to a vendor-provided fixed release if one becomes available.
- If no fix is available, restrict network exposure to trusted administration paths only and apply compensating access controls.
- Review application and database logs for unusual query patterns, authentication anomalies, or unexpected data access around the affected period.
- Validate whether custom code interacting with Veribase uses parameterized queries and safe input handling where applicable.
- Use the official CVE and NVD records as the primary tracking references and revisit them for any status changes.
Evidence notes
The CVE description explicitly states an SQL injection vulnerability in Veribase and that the vendor was contacted early but did not respond. NVD maps the issue to CWE-89 and lists CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The affected CPE criterion indicates veribase:veribase versions through 2023-11-23. The supplied reference list includes a broken USOM link, so only the official CVE and NVD links are used as reliable references here.
Official resources
-
CVE-2023-3377 CVE record
CVE.org
-
CVE-2023-3377 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Broken Link
Published on 2023-11-23. The source corpus also records a later NVD modification on 2024-11-21, but that is not the CVE issue date.