Lucene search

TwcertCVELIST:CVE-2022-39038

HistoryNov 10, 2022 - 2:20 a.m.

CVE-2022-39038 FLOWRING Agentflow BPM - Broken Access Control

2022-11-1002:20:46

CWE-287

twcert

www.cve.org

agentflow

bpm

accesscontrol

vulnerability

authentication

remoteattack

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.002

Percentile

61.9%

JSON

Agentflow BPM enterprise management system has improper authentication. A remote attacker with general user privilege can change the name of the user account to acquire arbitrary account privilege, and access, manipulate system or disrupt service.

CNA Affected

[
  {
    "vendor": "FLOWRING",
    "product": "Agentflow BPM",
    "versions": [
      {
        "version": "4.0.0.1183.552",
        "status": "affected"
      }
    ]
  }
]

References

www.flowring.com/2022/09/19/%e7%94%a2%e5%93%81%e6%9b%b4%e6%96%b0agentflow-v4-0%e3%80%81v3-7%e5%a4%be%e6%aa%94%e5%8a%9f%e8%83%bd%e8%b3%87%e5%ae%89%e4%bf%ae%e6%ad%a3/

www.twcert.org.tw/tw/cp-132-6684-53149-1.html

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.002

Percentile

61.9%

JSON

Related for CVELIST:CVE-2022-39038