Lucene search

[email protected]NVD:CVE-2022-22120

HistoryJan 10, 2022 - 4:15 p.m.

CVE-2022-22120

2022-01-1016:15:10

CWE-203

[email protected]

web.nvd.nist.gov

nocodb

password-reset

vulnerability

email addresses

enumeration

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

39.3%

JSON

In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn’t registered within the system. This allows attackers to enumerate the registered users’ email addresses.

Affected configurations

Nvd

Node

xgenecloudnocodbRange0.9–0.83.8

VendorProductVersionCPE
xgenecloudnocodb*cpe:2.3:a:xgenecloud:nocodb:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xgenecloud	nocodb	*	cpe:2.3:a:xgenecloud:nocodb::::::::

References

github.com/nocodb/nocodb/commit/f46e89b0

www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22120

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

39.3%

JSON

Related for NVD:CVE-2022-22120

veracode1 cvelist1 cve1 osv1 prion1