Lucene search

[email protected]CVE-2022-26348

HistoryJul 06, 2022 - 5:15 p.m.

CVE-2022-26348

2022-07-0617:15:07

CWE-89

[email protected]

web.nvd.nist.gov

cve-2022-26348

nvd

vulnerability

sql injection

command centre server

windows registry

gallagher command centre

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.7%

JSON

Command Centre Server is vulnerable to SQL Injection via Windows Registry settings for date fields on the server. The Windows Registry setting allows an attacker using the Visitor Management Kiosk, an application designed for public use, to invoke an arbitrary SQL query that has been preloaded into the registry of the Windows Server to obtain sensitive information. This issue affects: Gallagher Command Centre 8.60 versions prior to 8.60.1652; 8.50 versions prior to 8.50.2245; 8.40 versions prior to 8.40.2216; 8.30 versions prior to 8.30.1470; version 8.20 and prior versions.

Affected configurations

NVD

Node

gallaghercommand_centreRange≤8.20

gallaghercommand_centreRange8.30–8.30.1470

gallaghercommand_centreRange8.40–8.40.2216

gallaghercommand_centreRange8.50–8.50.2245

gallaghercommand_centreRange8.60–8.60.1652

CPENameOperatorVersion
gallagher:command_centregallagher command centrele8.20
gallagher:command_centregallagher command centrelt8.30.1470
gallagher:command_centregallagher command centrelt8.40.2216
gallagher:command_centregallagher command centrelt8.50.2245
gallagher:command_centregallagher command centrelt8.60.1652

CPE	Name	Operator	Version
gallagher:command_centre	gallagher command centre	le	8.20
gallagher:command_centre	gallagher command centre	lt	8.30.1470
gallagher:command_centre	gallagher command centre	lt	8.40.2216
gallagher:command_centre	gallagher command centre	lt	8.50.2245
gallagher:command_centre	gallagher command centre	lt	8.60.1652

CNA Affected

[
  {
    "product": "Command Centre",
    "vendor": "Gallagher",
    "versions": [
      {
        "lessThanOrEqual": "8.20",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "8.60.1652",
        "status": "affected",
        "version": "8.60",
        "versionType": "custom"
      },
      {
        "lessThan": "8.50.2245",
        "status": "affected",
        "version": "8.50",
        "versionType": "custom"
      },
      {
        "lessThan": "8.40.2216",
        "status": "affected",
        "version": "8.40",
        "versionType": "custom"
      },
      {
        "lessThan": "8.30.1470",
        "status": "affected",
        "version": "8.30",
        "versionType": "custom"
      }
    ]
  }
]

References

security.gallagher.com/Security-Advisories/CVE-2022-26348

Social References

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.7%

JSON

Related for CVE-2022-26348

cvelist1 prion1 nvd1