Lucene search

KrcertCVE-2022-23771

HistoryOct 17, 2022 - 4:15 p.m.

CVE-2022-23771

2022-10-1716:15:20

CWE-352

krcert

web.nvd.nist.gov

iptime

nas

vulnerability

user accounts

creation

deletion

post request

validation

exploit

arbitrary user privileges

nvd

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

32.3%

JSON

This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.

Affected configurations

Nvd

Node

iptimenas1dual_firmwareRange<1.4.86

AND

iptimenas1dualMatch-

Node

iptimenas2dual_firmwareRange<1.4.86

AND

iptimenas2dualMatch-

Node

iptimenas4dual_firmwareRange<1.4.86

AND

iptimenas4dualMatch-

VendorProductVersionCPE
iptimenas1dual_firmware*cpe:2.3:o:iptime:nas1dual_firmware:*:*:*:*:*:*:*:*
iptimenas1dual-cpe:2.3:h:iptime:nas1dual:-:*:*:*:*:*:*:*
iptimenas2dual_firmware*cpe:2.3:o:iptime:nas2dual_firmware:*:*:*:*:*:*:*:*
iptimenas2dual-cpe:2.3:h:iptime:nas2dual:-:*:*:*:*:*:*:*
iptimenas4dual_firmware*cpe:2.3:o:iptime:nas4dual_firmware:*:*:*:*:*:*:*:*
iptimenas4dual-cpe:2.3:h:iptime:nas4dual:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
iptime	nas1dual_firmware	*	cpe:2.3:o:iptime:nas1dual_firmware::::::::
iptime	nas1dual	-	cpe:2.3:h:iptime:nas1dual:-:::::::*
iptime	nas2dual_firmware	*	cpe:2.3:o:iptime:nas2dual_firmware::::::::
iptime	nas2dual	-	cpe:2.3:h:iptime:nas2dual:-:::::::*
iptime	nas4dual_firmware	*	cpe:2.3:o:iptime:nas4dual_firmware::::::::
iptime	nas4dual	-	cpe:2.3:h:iptime:nas4dual:-:::::::*

CNA Affected

[
  {
    "vendor": "EFM Networks Co., Ltd",
    "product": "NAS1dual, NAS2dual, NAS4dual",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "1.4.86",
        "status": "affected",
        "versionType": "custom"
      }
    ],
    "platforms": [
      "Linux, Windows and etc.."
    ]
  }
]

References

www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

32.3%

JSON

Related for CVE-2022-23771