Lucene search

K
nvd[email protected]NVD:CVE-2022-41397
HistoryApr 28, 2023 - 1:15 p.m.

CVE-2022-41397

2023-04-2813:15:13
CWE-798
web.nvd.nist.gov
3
sage 300
version 2022
web screens
global search
hard-coded blowfish key
landlordpasskey
encryption
decryption
configuration files
database tables

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

57.6%

The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key (“LandlordPassKey”) to encrypt and decrypt secrets stored in configuration files and in database tables.

Affected configurations

Nvd
Node
sagesage_300Range2022
VendorProductVersionCPE
sagesage_300*cpe:2.3:a:sage:sage_300:*:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

57.6%

Related for NVD:CVE-2022-41397