CVE-2022-40084

2022-10-2014:15:09

CWE-203

[email protected]

web.nvd.nist.gov

opencrx

v5.2.2

password enumeration

vulnerability

error messages

password reset

attacker

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

37.0%

JSON

OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid.

Affected configurations

NVD

Node

opencrxopencrxRange≤5.2.2

References

cwe.mitre.org/data/definitions/204.html#:~:text=User%20enumeration%20via%20discrepancies%20in%20error%20messages.%2C-CVE-2004-0294&text=Bulletin%20Board%20displays%20different%20error%2Cbrute%20force%20password%20guessing%20attack.

github.com/ciph0x01/OpenCRX-CVE/blob/main/CVE-2022-40084.md