Lucene search

[email protected]CVE-2022-1254

HistoryApr 20, 2022 - 1:15 p.m.

CVE-2022-1254

2022-04-2013:15:07

CWE-601

[email protected]

web.nvd.nist.gov

cve-2022-1254

url redirection

skyhigh swg

main releases

controlled release

security vulnerability

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.4%

JSON

A URL redirection vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.9, 9.x prior to 9.2.20, 8.x prior to 8.2.27, and 7.x prior to 7.8.2.31, and controlled release 11.x prior to 11.1.3 allows a remote attacker to redirect a user to a malicious website controlled by the attacker. This is possible because SWG incorrectly creates a HTTP redirect response when a user clicks a carefully constructed URL. Following the redirect response, the new request is still filtered by the SWG policy.

Affected configurations

NVD

Node

mcafeeweb_gatewayRange7.0.0–7.8.2.31

mcafeeweb_gatewayRange8.0.0–8.2.27

mcafeeweb_gatewayRange9.0.0–9.2.20

mcafeeweb_gatewayRange10.0.0–10.2.9

mcafeeweb_gatewayRange11.0.0–11.1.3

CPENameOperatorVersion
mcafee:web_gatewaymcafee web gatewaylt7.8.2.31
mcafee:web_gatewaymcafee web gatewaylt8.2.27
mcafee:web_gatewaymcafee web gatewaylt9.2.20
mcafee:web_gatewaymcafee web gatewaylt10.2.9
mcafee:web_gatewaymcafee web gatewaylt11.1.3

CPE	Name	Operator	Version
mcafee:web_gateway	mcafee web gateway	lt	7.8.2.31
mcafee:web_gateway	mcafee web gateway	lt	8.2.27
mcafee:web_gateway	mcafee web gateway	lt	9.2.20
mcafee:web_gateway	mcafee web gateway	lt	10.2.9
mcafee:web_gateway	mcafee web gateway	lt	11.1.3

CNA Affected

[
  {
    "product": "Secure Web Gateway",
    "vendor": "McAfee,LLC",
    "versions": [
      {
        "lessThan": "10.2.9",
        "status": "affected",
        "version": "10.X",
        "versionType": "custom"
      },
      {
        "lessThan": "9.2.20",
        "status": "affected",
        "version": "9.x",
        "versionType": "custom"
      },
      {
        "lessThan": "8.2.27",
        "status": "affected",
        "version": "8.x",
        "versionType": "custom"
      },
      {
        "lessThan": "7.8.2.31",
        "status": "affected",
        "version": "7.x",
        "versionType": "custom"
      },
      {
        "lessThan": "11.1.3",
        "status": "affected",
        "version": "Controlled 11.x",
        "versionType": "custom"
      }
    ]
  }
]

References

kc.mcafee.com/corporate/index?page=content&id=SB10381

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.4%

JSON

Related for CVE-2022-1254

prion1 nvd1 cvelist1