Lucene search

GoogleOSV:CVE-2022-37857

HistorySep 08, 2022 - 4:15 p.m.

CVE-2022-37857

2022-09-0816:15:08

Google

osv.dev

cve-2022-37857

hauk v1.6.1

hardcoded password

config.php

server-side

android client

clear-text

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

48.3%

JSON

bilde2910 Hauk v1.6.1 requires a hardcoded password which by default is blank. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default.

References

gainsec.com/2022/08/07/cve-2022-hardcoded-creds-weak-password-hauk-android-location-sharing/

github.com/bilde2910/Hauk/issues/187

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

48.3%

JSON

Related for OSV:CVE-2022-37857