CVE-2022-23771 - Vulnerability Details - OpenCVE

ReportizFlow

This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Iptime	Nas1dual Nas1dual Firmware Nas2dual Nas2dual Firmware Nas4dual Nas4dual Firmware

Configuration 1 [-]

AND

cpe:2.3:o:iptime:nas1dual_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:iptime:nas1dual:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:iptime:nas2dual_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:iptime:nas2dual:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:iptime:nas4dual_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:iptime:nas4dual:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964

History

No history.

MITRE

Status: PUBLISHED

Assigner: krcert

Published: 2022-10-17T00:00:00

Updated: 2024-08-03T03:51:46.060Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23771

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-17T16:15:20.857

Modified: 2024-11-21T06:49:15.023

Link: CVE-2022-23771

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:iptime:nas1dual_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "90965263-2D84-4742-B60E-0A6738D9F329", "versionEndExcluding": "1.4.86", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:iptime:nas1dual:-:*:*:*:*:*:*:*", "matchCriteriaId": "2ACEC464-70B3-452B-A1A3-594C697E3AB3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:iptime:nas2dual_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C67D4CA9-5991-4E37-B3E4-F39A49E949E8", "versionEndExcluding": "1.4.86", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:iptime:nas2dual:-:*:*:*:*:*:*:*", "matchCriteriaId": "271D21D5-A55E-4D4F-8473-5A7A67573DEA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:iptime:nas4dual_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D302186C-3FF6-49F2-9622-ED3FB06F9EE1", "versionEndExcluding": "1.4.86", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:iptime:nas4dual:-:*:*:*:*:*:*:*", "matchCriteriaId": "0429CC1A-B95C-4FB0-90D6-D6CAD8E1CC14", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges."}, {"lang": "es", "value": "Esta vulnerabilidad es producida en las p\u00e1ginas relacionadas con la creaci\u00f3n y eliminaci\u00f3n de cuentas de usuario de los productos IPTIME NAS. La vulnerabilidad podr\u00eda ser explotada por una falta de comprobaci\u00f3n cuando es realizada una petici\u00f3n POST a esta p\u00e1gina. Un atacante puede usar esta vulnerabilidad para o eliminar cuentas de usuario, o para escalar privilegios de usuario arbitrarios"}], "id": "CVE-2022-23771", "lastModified": "2024-11-21T06:49:15.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-10-17T16:15:20.857", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "[email protected]", "type": "Primary"}]}