CVE-2022-24689 (GCVE-0-2022-24689)

Vulnerability from cvelistv5 – Published: 2022-07-18 12:34 – Updated: 2024-08-03 04:20
VLAI?
Summary
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.187Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://dsk.lu/fr/produits/temps-de-presence"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-18T12:34:24.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://dsk.lu/fr/produits/temps-de-presence"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-24689",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://dsk.lu/fr/produits/temps-de-presence",
              "refsource": "MISC",
              "url": "https://dsk.lu/fr/produits/temps-de-presence"
            },
            {
              "name": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf",
              "refsource": "MISC",
              "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-24689",
    "datePublished": "2022-07-18T12:34:24.000Z",
    "dateReserved": "2022-02-09T00:00:00.000Z",
    "dateUpdated": "2024-08-03T04:20:50.187Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-24689",
      "date": "2026-05-05",
      "epss": "0.00192",
      "percentile": "0.4073"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24689\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-07-18T13:15:09.760\",\"lastModified\":\"2024-11-21T06:50:53.037\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema en DSK DSKNet versiones 2.16.136.0 y 2.17.136.5. El control de acceso es manejado inapropiadamente. Esto permite que un atacante remoto acceda a las p\u00e1ginas de informaci\u00f3n de la cuenta (incluidos los datos personales) sin ser autenticado. La informaci\u00f3n recopilada incluye los n\u00fameros de identificaci\u00f3n que funcionan como nombres de inicio de sesi\u00f3n de usuarios. Presentan un c\u00f3digo PIN. El c\u00f3digo PINpresenta4 d\u00edgitos y, por lo tanto, puede ser adivinado en 10000 intentos de fuerza bruta\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-307\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dsk:dsknet:2.16.136.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"49B0E313-BCD6-47A4-9968-A49FD8E78A34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dsk:dsknet:2.17.136.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B31B0D02-2879-422F-8100-2594CA5E82F5\"}]}]}],\"references\":[{\"url\":\"https://dsk.lu/fr/produits/temps-de-presence\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://dsk.lu/fr/produits/temps-de-presence\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.