Lucene search

TwcertCVELIST:CVE-2022-32457

HistoryJul 20, 2022 - 2:01 a.m.

CVE-2022-32457 Data Systems Consulting Co., Ltd. BPM - Blind Server-Side Request Forgery (SSRF)

2022-07-2002:01:03

CWE-918

twcert

www.cve.org

cve-2022-32457

blind ssrf attack

digiwin bpm

url parameter filtering

remote attacker

internal network topology.

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

44.1%

JSON

Digiwin BPM has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform Blind SSRF attack to discover internal network topology base on URL error response.

CNA Affected

[
  {
    "product": "BPM",
    "vendor": "Data Systems Consulting Co., Ltd.",
    "versions": [
      {
        "lessThanOrEqual": "5.8.6.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb

www.twcert.org.tw/tw/cp-132-6287-20ef0-1.html

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

44.1%

JSON

Related for CVELIST:CVE-2022-32457