CVE-2023-25074: 
Gallagher Command Centre vulnerability analysis and mitigation

CVE-2023-25074 is a security vulnerability discovered in Gallagher Command Centre Server that involves improper privilege validation. The vulnerability was disclosed in July 2023 and affects multiple versions of Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), and all versions vEL8.40 and prior (Vendor Advisory).

The vulnerability stems from improper privilege validation in the Command Centre Server that allows authenticated unprivileged operators to modify and view Competencies. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NVD rates it as MEDIUM with a base score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N), while Gallagher Group Ltd. rates it as HIGH with a base score of 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) (NVD Database).

The vulnerability allows authenticated unprivileged operators to gain unauthorized access to view and modify Competencies within the Command Centre Server system, potentially compromising the integrity of the system's access control mechanisms (Vendor Advisory).

Gallagher has released maintenance releases to address this vulnerability: vEL8.50.2831 (MR8), vEL8.60.2347 (MR6), vEL8.70.2185 (MR4), vEL8.80.1192 (MR2), and vEL8.90.1318 (MR1). Users are advised to upgrade to these patched versions (Vendor Advisory).