Lucene search

[email protected]CVE-2022-43978

HistoryJan 27, 2023 - 10:15 p.m.

CVE-2022-43978

2023-01-2722:15:08

CWE-798

CWE-287

[email protected]

web.nvd.nist.gov

cve-2022-43978

pandora fms v764

improper authentication

vulnerability

nvd

5.6 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.8%

JSON

There is an improper authentication vulnerability in Pandora FMS v764. The application verifies that the user has a valid session when he is not trying to do a login. Since the secret is static in generatePublicHash function, an attacker with knowledge of a valid session can abuse this in order to pass the authentication check.

Affected configurations

Vulners

NVD

Node

pandorafmspandora_fmsRange≤v764

CPENameOperatorVersion
pandorafms:pandora_fmspandorafms pandora fmslt766

CPE	Name	Operator	Version
pandorafms:pandora_fms	pandorafms pandora fms	lt	766

CNA Affected

[
  {
    "vendor": "Artica PFMS",
    "product": "Pandora FMS",
    "versions": [
      {
        "version": "v764",
        "status": "affected",
        "lessThanOrEqual": "v764",
        "versionType": "custom"
      }
    ],
    "platforms": [
      "all"
    ]
  }
]

References

pandorafms.com/en/security/common-vulnerabilities-and-exposures/

5.6 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.8%

JSON

Related for CVE-2022-43978

cvelist1 prion1 nvd1