Search criteria
8 vulnerabilities found for cmdb by device42
CVE-2022-1410 (GCVE-0-2022-1410)
Vulnerability from nvd – Published: 2022-08-16 23:30 – Updated: 2024-09-16 22:35
VLAI?
Title
Remote Code Execution in Device42 ApplianceManager console
Summary
OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions.
Severity ?
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-08-16 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMDB",
"vendor": "Device42",
"versions": [
{
"lessThan": "18.01.00",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "en",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"datePublic": "2022-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-16T23:30:18.000Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"solutions": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 18.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution in Device42 ApplianceManager console",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2022-08-16T19:00:00.000Z",
"ID": "CVE-2022-1410",
"STATE": "PUBLIC",
"TITLE": "Remote Code Execution in Device42 ApplianceManager console"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMDB",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.01.00"
}
]
}
}
]
},
"vendor_name": "Device42"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "eng",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/",
"refsource": "MISC",
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 18.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2022-1410",
"datePublished": "2022-08-16T23:30:18.676Z",
"dateReserved": "2022-04-20T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:35:09.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1401 (GCVE-0-2022-1401)
Vulnerability from nvd – Published: 2022-08-16 23:30 – Updated: 2024-09-17 02:11
VLAI?
Title
Insufficient validation of provided paths in Exago WrImageResource.axd
Summary
Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00.
Severity ?
6.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-08-15 21:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CMDB",
"vendor": "Device42",
"versions": [
{
"lessThan": "18.01.00",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"datePublic": "2022-08-15T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00.\u003c/p\u003e"
}
],
"value": "Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-20T09:18:04.118Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn update to Device42 CMDB version 18.01.00 fixes the issue.\u003c/p\u003e"
}
],
"value": "An update to Device42 CMDB version 18.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient validation of provided paths in Exago WrImageResource.axd",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2022-08-16T19:00:00.000Z",
"ID": "CVE-2022-1401",
"STATE": "PUBLIC",
"TITLE": "Insufficient validation of provided paths in Exago WrImageResource.axd"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMDB",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.01.00"
}
]
}
}
]
},
"vendor_name": "Device42"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "eng",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/",
"refsource": "MISC",
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 18.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2022-1401",
"datePublished": "2022-08-16T23:30:36.607Z",
"dateReserved": "2022-04-19T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:11:37.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1400 (GCVE-0-2022-1400)
Vulnerability from nvd – Published: 2022-08-16 23:25 – Updated: 2024-09-16 22:36
VLAI?
Title
Hardcoded encryption key IV in Exago WebReportsApi.dll
Summary
Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00.
Severity ?
7.1 (High)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-08-16 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.249Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMDB",
"vendor": "Device42",
"versions": [
{
"lessThan": "18.01.00",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "en",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"datePublic": "2022-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-16T23:25:12.000Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"solutions": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 19.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hardcoded encryption key IV in Exago WebReportsApi.dll",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2022-08-16T19:00:00.000Z",
"ID": "CVE-2022-1400",
"STATE": "PUBLIC",
"TITLE": "Hardcoded encryption key IV in Exago WebReportsApi.dll"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMDB",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.01.00"
}
]
}
}
]
},
"vendor_name": "Device42"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "eng",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-321 Use of Hard-coded Cryptographic Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/",
"refsource": "MISC",
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 19.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2022-1400",
"datePublished": "2022-08-16T23:25:12.477Z",
"dateReserved": "2022-04-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:36:19.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1399 (GCVE-0-2022-1399)
Vulnerability from nvd – Published: 2022-08-16 23:20 – Updated: 2024-09-16 23:51
VLAI?
Title
Remote code execution in scheduled tasks component
Summary
An Argument Injection or Modification vulnerability in the "Change Secret" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions.
Severity ?
9.1 (Critical)
CWE
- CWE-88 - Argument Injection or Modification
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-08-16 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMDB",
"vendor": "Device42",
"versions": [
{
"lessThan": "18.01.00",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "en",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"datePublic": "2022-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An Argument Injection or Modification vulnerability in the \"Change Secret\" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Argument Injection or Modification",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-16T23:20:10.000Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"solutions": [
{
"lang": "en",
"value": "An update to version 18.01.00 fixes the issue"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote code execution in scheduled tasks component",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2022-08-16T21:00:00.000Z",
"ID": "CVE-2022-1399",
"STATE": "PUBLIC",
"TITLE": "Remote code execution in scheduled tasks component"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMDB",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.01.00"
}
]
}
}
]
},
"vendor_name": "Device42"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "eng",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Argument Injection or Modification vulnerability in the \"Change Secret\" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-88 Argument Injection or Modification"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/",
"refsource": "MISC",
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An update to version 18.01.00 fixes the issue"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2022-1399",
"datePublished": "2022-08-16T23:20:10.751Z",
"dateReserved": "2022-04-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:51:14.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1401 (GCVE-0-2022-1401)
Vulnerability from cvelistv5 – Published: 2022-08-16 23:30 – Updated: 2024-09-17 02:11
VLAI?
Title
Insufficient validation of provided paths in Exago WrImageResource.axd
Summary
Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00.
Severity ?
6.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-08-15 21:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CMDB",
"vendor": "Device42",
"versions": [
{
"lessThan": "18.01.00",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"datePublic": "2022-08-15T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00.\u003c/p\u003e"
}
],
"value": "Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-20T09:18:04.118Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn update to Device42 CMDB version 18.01.00 fixes the issue.\u003c/p\u003e"
}
],
"value": "An update to Device42 CMDB version 18.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient validation of provided paths in Exago WrImageResource.axd",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2022-08-16T19:00:00.000Z",
"ID": "CVE-2022-1401",
"STATE": "PUBLIC",
"TITLE": "Insufficient validation of provided paths in Exago WrImageResource.axd"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMDB",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.01.00"
}
]
}
}
]
},
"vendor_name": "Device42"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "eng",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. This issue affects: Device42 CMDB versions prior to 18.01.00."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/",
"refsource": "MISC",
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 18.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2022-1401",
"datePublished": "2022-08-16T23:30:36.607Z",
"dateReserved": "2022-04-19T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:11:37.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1410 (GCVE-0-2022-1410)
Vulnerability from cvelistv5 – Published: 2022-08-16 23:30 – Updated: 2024-09-16 22:35
VLAI?
Title
Remote Code Execution in Device42 ApplianceManager console
Summary
OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions.
Severity ?
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-08-16 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMDB",
"vendor": "Device42",
"versions": [
{
"lessThan": "18.01.00",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "en",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"datePublic": "2022-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-16T23:30:18.000Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"solutions": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 18.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution in Device42 ApplianceManager console",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2022-08-16T19:00:00.000Z",
"ID": "CVE-2022-1410",
"STATE": "PUBLIC",
"TITLE": "Remote Code Execution in Device42 ApplianceManager console"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMDB",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.01.00"
}
]
}
}
]
},
"vendor_name": "Device42"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "eng",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/",
"refsource": "MISC",
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 18.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2022-1410",
"datePublished": "2022-08-16T23:30:18.676Z",
"dateReserved": "2022-04-20T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:35:09.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1400 (GCVE-0-2022-1400)
Vulnerability from cvelistv5 – Published: 2022-08-16 23:25 – Updated: 2024-09-16 22:36
VLAI?
Title
Hardcoded encryption key IV in Exago WebReportsApi.dll
Summary
Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00.
Severity ?
7.1 (High)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-08-16 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.249Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMDB",
"vendor": "Device42",
"versions": [
{
"lessThan": "18.01.00",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "en",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"datePublic": "2022-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-16T23:25:12.000Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"solutions": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 19.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hardcoded encryption key IV in Exago WebReportsApi.dll",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2022-08-16T19:00:00.000Z",
"ID": "CVE-2022-1400",
"STATE": "PUBLIC",
"TITLE": "Hardcoded encryption key IV in Exago WebReportsApi.dll"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMDB",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.01.00"
}
]
}
}
]
},
"vendor_name": "Device42"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "eng",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-321 Use of Hard-coded Cryptographic Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/",
"refsource": "MISC",
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An update to Device42 CMDB version 19.01.00 fixes the issue."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2022-1400",
"datePublished": "2022-08-16T23:25:12.477Z",
"dateReserved": "2022-04-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:36:19.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1399 (GCVE-0-2022-1399)
Vulnerability from cvelistv5 – Published: 2022-08-16 23:20 – Updated: 2024-09-16 23:51
VLAI?
Title
Remote code execution in scheduled tasks component
Summary
An Argument Injection or Modification vulnerability in the "Change Secret" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions.
Severity ?
9.1 (Critical)
CWE
- CWE-88 - Argument Injection or Modification
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2022-08-16 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMDB",
"vendor": "Device42",
"versions": [
{
"lessThan": "18.01.00",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "en",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "en",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"datePublic": "2022-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An Argument Injection or Modification vulnerability in the \"Change Secret\" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Argument Injection or Modification",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-16T23:20:10.000Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
],
"solutions": [
{
"lang": "en",
"value": "An update to version 18.01.00 fixes the issue"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote code execution in scheduled tasks component",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-requests@bitdefender.com",
"DATE_PUBLIC": "2022-08-16T21:00:00.000Z",
"ID": "CVE-2022-1399",
"STATE": "PUBLIC",
"TITLE": "Remote code execution in scheduled tasks component"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMDB",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "18.01.00"
}
]
}
}
]
},
"vendor_name": "Device42"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"
},
{
"lang": "eng",
"value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Cristian BUZA - Security Engineer @ Bitdefender"
},
{
"lang": "eng",
"value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Argument Injection or Modification vulnerability in the \"Change Secret\" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-88 Argument Injection or Modification"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/",
"refsource": "MISC",
"url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"
}
]
},
"solution": [
{
"lang": "en",
"value": "An update to version 18.01.00 fixes the issue"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2022-1399",
"datePublished": "2022-08-16T23:20:10.751Z",
"dateReserved": "2022-04-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:51:14.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}