Lucene search

BitdefenderCVE-2022-1399

HistoryAug 17, 2022 - 12:15 a.m.

CVE-2022-1399

2022-08-1700:15:08

CWE-88

Bitdefender

web.nvd.nist.gov

cve-2022-1399

argument injection

modification

discovery

device42 cmdb

vulnerability

local attacker

arbitrary code

root privileges

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

41.4%

JSON

An Argument Injection or Modification vulnerability in the “Change Secret” username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions.

Affected configurations

Nvd

Node

device42cmdbRange<18.01.00

VendorProductVersionCPE
device42cmdb*cpe:2.3:a:device42:cmdb:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
device42	cmdb	*	cpe:2.3:a:device42:cmdb::::::::

CNA Affected

[
  {
    "product": "CMDB",
    "vendor": "Device42",
    "versions": [
      {
        "lessThan": "18.01.00",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/

Social References

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

41.4%

JSON

Related for CVE-2022-1399