Lucene search

GitHub_MCVELIST:CVE-2022-23497

HistoryDec 09, 2022 - 10:16 p.m.

CVE-2022-23497 Insecure file access in FreshRSS

2022-12-0922:16:00

CWE-200

GitHub_M

www.cve.org

freshrss

rss aggregator

user configuration files

remote access

hashed passwords

api

greader api

fever api

update

patch

security vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

0.003 Low

EPSS

Percentile

66.1%

JSON

FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API. Users should update to version 1.20.2 or edge. Users unable to upgrade can apply the patch manually or delete the file ./FreshRSS/p/ext.php.

CNA Affected

[
  {
    "vendor": "FreshRSS",
    "product": "FreshRSS",
    "versions": [
      {
        "version": ">= 1.18.0, < 1.20.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/FreshRSS/FreshRSS/pull/4928

github.com/FreshRSS/FreshRSS/releases/tag/1.20.2

github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

0.003 Low

EPSS

Percentile

66.1%

JSON

Related for CVELIST:CVE-2022-23497