Lucene search

[email protected]NVD:CVE-2022-39315

HistoryOct 25, 2022 - 5:15 p.m.

CVE-2022-39315

2022-10-2517:15:55

CWE-209

CWE-204

[email protected]

web.nvd.nist.gov

kirby cms

user enumeration

vulnerability

patched

targeted attacks

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

48.9%

JSON

Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby’s API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.

Affected configurations

NVD

Node

getkirbykirbyRange<3.5.8.2

getkirbykirbyRange3.6.0–3.6.6.2

getkirbykirbyRange3.7.0–3.7.5.1

getkirbykirbyMatch3.8.0-

getkirbykirbyMatch3.8.0rc1

getkirbykirbyMatch3.8.0rc2

getkirbykirbyMatch3.8.0rc3

References

github.com/getkirby/kirby/releases/tag/3.5.8.2

github.com/getkirby/kirby/releases/tag/3.6.6.2

github.com/getkirby/kirby/releases/tag/3.7.5.1

github.com/getkirby/kirby/releases/tag/3.8.1

github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

48.9%

JSON

Related for NVD:CVE-2022-39315

cvelist1 cve1 github1 veracode1 osv2 prion1