Lucene search

INCIBECVELIST:CVE-2022-43978

HistoryJan 27, 2023 - 12:00 a.m.

CVE-2022-43978 Limited Authentication bypass due to hardcoded secret

2023-01-2700:00:00

CWE-287

INCIBE

www.cve.org

authentication

bypass

hardcoded

secret

pandora fms

vulnerability

static

attacker

session

5.6 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.8%

JSON

There is an improper authentication vulnerability in Pandora FMS v764. The application verifies that the user has a valid session when he is not trying to do a login. Since the secret is static in generatePublicHash function, an attacker with knowledge of a valid session can abuse this in order to pass the authentication check.

CNA Affected

[
  {
    "vendor": "Artica PFMS",
    "product": "Pandora FMS",
    "versions": [
      {
        "version": "v764",
        "status": "affected",
        "lessThanOrEqual": "v764",
        "versionType": "custom"
      }
    ],
    "platforms": [
      "all"
    ]
  }
]

References

pandorafms.com/en/security/common-vulnerabilities-and-exposures/

5.6 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.8%

JSON

Related for CVELIST:CVE-2022-43978