Lucene search

[email protected]CVE-2022-37164

HistorySep 08, 2022 - 4:15 p.m.

CVE-2022-37164

2022-09-0816:15:08

CWE-287

CWE-916

[email protected]

web.nvd.nist.gov

cve-2022-37164

inoda ontrack

weak password policy

unauthorized access

hashcat

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.0%

JSON

Inoda OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.

Affected configurations

NVD

Node

ontrack_projectontrackMatch3.4

CPENameOperatorVersion
ontrack_project:ontrackontrack project ontrackeq3.4

CPE	Name	Operator	Version
ontrack_project:ontrack	ontrack project ontrack	eq	3.4

References

cwe.mitre.org/data/definitions/521.html

cwe.mitre.org/data/definitions/916.html

gainsec.com/2022/08/07/cve-2022-hardcoded-creds-weak-password-hauk-android-location-sharing/

github.com/inoda/ontrack/issues/78

Social References

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.0%

JSON

Related for CVE-2022-37164

nvd1 prion1 cvelist1