Lucene search

GitHub Advisory DatabaseGHSA-GRW3-HJJM-5CJM

HistoryMay 14, 2022 - 2:38 a.m.

DotNetNuke Default Machine Key Exposure

2022-05-1402:38:47

CWE-453

GitHub Advisory Database

github.com

dotnetnuke

default keys

validationkey

decryptionkey

remote attackers

access restrictions

web.config

installation

upgrade

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

EPSS

0.064

Percentile

93.7%

JSON

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Affected configurations

Vulners

Node

dotnetnuke.coreRange<4.8.2

VendorProductVersionCPE
*dotnetnuke.core*cpe:2.3:a:*:dotnetnuke.core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	dotnetnuke.core	*	cpe:2.3:a::dotnetnuke.core::::::::*

References

osvdb.org/43720

secunia.com/advisories/29488

www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx

www.securityfocus.com/archive/1/489957/100/0/threaded

www.securityfocus.com/bid/28391

exchange.xforce.ibmcloud.com/vulnerabilities/41399

github.com/advisories/GHSA-grw3-hjjm-5cjm

nvd.nist.gov/vuln/detail/CVE-2008-6540

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

EPSS

0.064

Percentile

93.7%

JSON

Related for GHSA-GRW3-HJJM-5CJM