Lucene search

K
cve[email protected]CVE-2022-38337
HistoryDec 06, 2022 - 12:15 a.m.

CVE-2022-38337

2022-12-0600:15:10
CWE-798
web.nvd.nist.gov
40
cve-2022-38337
sftp
mobaxterm
hardcoded password
dos
fail2ban

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

9.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.2%

When aborting a SFTP connection, MobaXterm before v22.1 sends a hardcoded password to the server. The server treats this as an invalid login attempt which can result in a Denial of Service (DoS) for the user if services like fail2ban are used.

Affected configurations

NVD
Node
mobatekmobaxtermRange22.2

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

9.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.2%

Related for CVE-2022-38337