Lucene search

MitreCVE-2022-37062

HistoryAug 18, 2022 - 6:15 p.m.

CVE-2022-37062

2022-08-1818:15:08

CWE-306

mitre

web.nvd.nist.gov

In Wild

flir ax8

thermal sensor cameras

vulnerability

insecure design

directory access restriction

sqlite

unauthorized access

username extraction

password extraction

cve-2022-37062

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

8.6

Confidence

High

EPSS

0.005

Percentile

76.9%

JSON

All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords.

Affected configurations

Nvd

Node

flirflir_ax8Match-

AND

flirflir_ax8_firmwareRange≤1.46.16

VendorProductVersionCPE
flirflir_ax8-cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*
flirflir_ax8_firmware*cpe:2.3:o:flir:flir_ax8_firmware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
flir	flir_ax8	-	cpe:2.3:h:flir:flir_ax8:-:::::::*
flir	flir_ax8_firmware	*	cpe:2.3:o:flir:flir_ax8_firmware::::::::

References

packetstormsecurity.com/files/168116/FLIR-AX8-1.46.16-Traversal-Access-Control-Command-Injection-XSS.html

gist.github.com/Nwqda/9e16852ab7827dc62b8e44d6180a6899

www.flir.com/products/ax8-automation/

Social References

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

8.6

Confidence

High

EPSS

0.005

Percentile

76.9%

JSON

Related for CVE-2022-37062