Lucene search

TwcertCVELIST:CVE-2022-39055

HistoryOct 18, 2022 - 5:40 a.m.

CVE-2022-39055 Changing Information Technology Inc. RAVA certificate validation system - Server-Side Request Forgery (SSRF)

2022-10-1805:40:19

CWE-918

twcert

www.cve.org

cve-2022-39055

information technology inc

rava certificate

ssrf

server-side request forgery

url parameter

unauthenticated remote attacker

internal network topology

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

49.2%

JSON

RAVA certificate validation system has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform SSRF attack to discover internal network topology base on query response.

CNA Affected

[
  {
    "vendor": "Changing Information Technology Inc.",
    "product": "RAVA certificate validation system",
    "versions": [
      {
        "version": "3",
        "status": "affected"
      }
    ]
  }
]

References

www.twcert.org.tw/tw/cp-132-6616-9092f-1.html

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

49.2%

JSON

Related for CVELIST:CVE-2022-39055