CVE-2023-49564
Authentication Bypass
Public disclosure |
18-09-2025 |
|---|---|
Last updated |
18-09-2025 |
Vulnerability type |
Authentication Bypass |
CVSS vector |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVSS score |
9.6 |
Description
The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP API without providing any valid credentials. The root cause of this vulnerability lies in a weak verification mechanism within the authentication implementation present in the Nginx Podman container on the CBIS/NCS Manager host machine.
The risk can be partially mitigated by restricting access to the management network using external firewall.
Affected products and versions
Product |
Versions |
|---|---|
CloudBand Infrastructure Software (CBIS) |
CBIS 22 |
Nokia Container Service (NCS) |
NCS 22.12 |
Mitigation plan
Fix has been provided in: CBIS 22 FP1 MP1.2, NCS 22.12 MP3
Acknowledgements
- Orange Cert
References
Change history : Initial version is published on 21-07-2025