Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2022-23627
HistoryFeb 08, 2022 - 11:15 p.m.

CVE-2022-23627

2022-02-0823:15:07
CWE-863
GitHub_M
web.nvd.nist.gov
87
archisteamfarm
asf
cve-2022-23627
security bug
unauthorized access
patch
update

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

41.9%

JSON

ArchiSteamFarm (ASF) is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code, introduced in version V5.2.2.2, the program didn’t adequately verify effective access of the user sending proxy (i.e. [Bots]) commands. In particular, a proxy-like command sent to bot A targeting bot B has incorrectly verified user’s access against bot A - instead of bot B, to which the command was originally designated. This in result allowed access to resources beyond those configured, being a security threat affecting confidentiality of other bot instances. A successful attack exploiting this bug requires a significant access granted explicitly by original owner of the ASF process prior to that, as attacker has to control at least a single bot in the process to make use of this inadequate access verification loophole. The issue is patched in ASF V5.2.2.5, V5.2.3.2 and future versions. Users are advised to update as soon as possible.

Affected configurations

Nvd
Vulners
Node
archisteamfarm_projectarchisteamfarmRange5.2.2.25.2.2.5
OR
archisteamfarm_projectarchisteamfarmRange5.2.3.05.2.3.2
VendorProductVersionCPE
archisteamfarm_projectarchisteamfarm*cpe:2.3:a:archisteamfarm_project:archisteamfarm:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "ArchiSteamFarm",
    "vendor": "JustArchiNET",
    "versions": [
      {
        "status": "affected",
        "version": ">= 5.2.2.2, < 5.2.2.5"
      },
      {
        "status": "affected",
        "version": ">= 5.2.3.0, < 5.2.3.2"
      }
    ]
  }
]

Related

cvelist 1
prion 1
nvd 1
osv 1
cvelist
cvelist
CVE-2022-23627 Inadequate access verification when using proxy commands in ArchiSteamFarm
2022-02-08 22:30:13
prion
prion
Design/Logic Flaw
2022-02-08 23:15:00
nvd
nvd
CVE-2022-23627
2022-02-08 23:15:07
osv
osv
CVE-2022-23627
2022-02-08 23:15:07

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

41.9%

JSON
Related for CVE-2022-23627
cvelist1prion1nvd1osv1