Lucene search

GitHub_MCVE-2022-39216

HistoryMar 14, 2023 - 4:15 p.m.

CVE-2022-39216

2023-03-1416:15:10

CWE-330

GitHub_M

web.nvd.nist.gov

combodo

itop

cve-2022-39216

it service management

account takeover

security vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.002

Percentile

57.1%

JSON

Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1.

Affected configurations

Nvd

Vulners

Node

combodoitopRange2.0.2–2.7.8

combodoitopRange3.0.0–3.0.2-1

VendorProductVersionCPE
combodoitop*cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
combodo	itop	*	cpe:2.3:a:combodo:itop::::::::

CNA Affected

[
  {
    "vendor": "Combodo",
    "product": "iTop",
    "versions": [
      {
        "version": "< 2.7.8",
        "status": "affected"
      },
      {
        "version": ">= 3.0.0, < 3.0.2-1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229

github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b

github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.002

Percentile

57.1%

JSON

Related for CVE-2022-39216