Lucene search

INCDCVELIST:CVE-2022-36781

HistorySep 11, 2022 - 12:00 a.m.

CVE-2022-36781 ConnectWise - ScreenConnect Session Code Bypass

2022-09-1100:00:00

INCD

www.cve.org

cve-2022-36781

connectwise

screenconnect

vulnerability

unauthorized access

brute force attacks

rate-limiting controls

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.3%

JSON

ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exploit this vulnerability to gain unauthorized access by repeatedly attempting access code combinations. ConnectWise has addressed this issue in later versions by implementing rate-limiting controls as a preventive measure against brute force attacks.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "ScreenConnect",
    "vendor": "ConnectWise",
    "versions": [
      {
        "lessThan": "22.6*",
        "status": "affected",
        "version": "22.7",
        "versionType": "custom"
      }
    ]
  }
]

References

www.gov.il/en/Departments/faq/cve_advisories

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.3%

JSON

Related for CVELIST:CVE-2022-36781