CVE-2023-22428: 
Gallagher Command Centre vulnerability analysis and mitigation

CVE-2023-22428 is a high-severity vulnerability affecting the Command Centre Server software. The vulnerability was discovered and disclosed by Gallagher Internal, with no active exploitation reported at the time of disclosure. The issue affects multiple versions of Command Centre: vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831(MR8), vEL8.40 and prior versions (Vendor Advisory).

The vulnerability stems from improper privilege validation in the Command Centre Server that allows authenticated operators to modify Division lineage. The severity is rated as High with a CVSS v3.1 base score of 7.6 (HIGH) according to Gallagher Group Ltd., with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L. This indicates the vulnerability is network-accessible, requires low attack complexity, needs low privileges, requires no user interaction, has unchanged scope, and can impact confidentiality (low), integrity (high), and availability (low) (NVD).

The vulnerability allows authenticated operators to modify Division lineage within the Command Centre Server, potentially compromising the system's security structure. This could lead to unauthorized changes in the organizational hierarchy and access control settings, with high impact on system integrity and moderate impacts on confidentiality and availability (Vendor Advisory).

Gallagher has released maintenance releases to address this vulnerability: v8.80.1192 (MR2), v8.70.2185 (MR4), v8.60.2347 (MR6), and v8.50.2831 (MR8). No alternative workarounds are available, and users are advised to upgrade to the patched versions (Vendor Advisory).