CVE-2022-23497

2022-12-0923:15:11

CWE-200

[email protected]

web.nvd.nist.gov

freshrss

rss aggregator

cve-2022-23497

security vulnerability

remote access

user configuration

api

manual patch

version 1.20.2

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

66.1%

JSON

FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API. Users should update to version 1.20.2 or edge. Users unable to upgrade can apply the patch manually or delete the file ./FreshRSS/p/ext.php.

Affected configurations

Vulners

NVD

Node

freshrssfreshrssRange1.18.0–1.20.2

VendorProductVersionCPE
freshrssfreshrss*cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
freshrss	freshrss	*	cpe:2.3:a:freshrss:freshrss::::::::

CNA Affected

[
  {
    "vendor": "FreshRSS",
    "product": "FreshRSS",
    "versions": [
      {
        "version": ">= 1.18.0, < 1.20.2",
        "status": "affected"
      }
    ]
  }
]