CVE-2022-27891 - Vulnerability Details - OpenCVE

Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is highly recommended that customers upgrade all affected services to the latest version. This issue affects: Palantir Gotham versions prior to 103.30221005.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Palantir	Gotham

Configuration 1 [-]

cpe:2.3:o:palantir:gotham:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-10.md

History

No history.

MITRE

Status: PUBLISHED

Assigner: Palantir

Published: 2023-02-16T00:00:00

Updated: 2024-08-03T05:41:10.603Z

Reserved: 2022-03-25T00:00:00

Link: CVE-2022-27891

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-16T16:15:12.020

Modified: 2024-11-21T06:56:25.540

Link: CVE-2022-27891

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-27891", "assignerOrgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4", "assignerShortName": "Palantir", "dateUpdated": "2024-08-03T05:41:10.603Z", "dateReserved": "2022-03-25T00:00:00", "datePublished": "2023-02-16T00:00:00"}, "containers": {"cna": {"title": "Palantir Gotham included an unauthenticated endpoint that listed all active usernames in the platform with an active session. ", "datePublic": "2023-02-03T00:00:00", "providerMetadata": {"orgId": "bbcbe11d-db20-4bc2-8a6e-c79f87041fd4", "shortName": "Palantir", "dateUpdated": "2023-02-16T00:00:00"}, "descriptions": [{"lang": "en", "value": "Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is highly recommended that customers upgrade all affected services to the latest version. This issue affects: Palantir Gotham versions prior to 103.30221005.0."}], "affected": [{"vendor": "Palantir", "product": "Gotham", "versions": [{"version": "unspecified", "lessThan": "3.22.10.4", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-10.md"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-200 Information Exposure", "cweId": "CWE-200"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "PLTRSEC-2022-10", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:41:10.603Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-10.md", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:palantir:gotham:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F077CC1-A0D1-4DB1-9594-D0C326F1A078", "versionEndExcluding": "3.22.10.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is highly recommended that customers upgrade all affected services to the latest version. This issue affects: Palantir Gotham versions prior to 103.30221005.0."}], "id": "CVE-2022-27891", "lastModified": "2024-11-21T06:56:25.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-02-16T16:15:12.020", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-10.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-10.md"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "[email protected]", "type": "Primary"}]}