Lucene search

GoogleOSV:CVE-2022-48341

HistoryFeb 23, 2023 - 6:15 a.m.

CVE-2022-48341

2023-02-2306:15:10

Google

osv.dev

thingsboard 3.4.1

vertical privilege escalation

scopes parameter

remote attacker

tenant administrator

system administrator

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.6%

JSON

ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation. A Tenant Administrator can obtain System Administrator dashboard access by modifying the scope via the scopes parameter.

CPENameOperatorVersion
thingsboardeq1.0
thingsboardeq1.3
thingsboardeq2.1.3
thingsboardeq2.0
thingsboardeq3.4.1
thingsboardeq1.2.1
thingsboardeq2.3
thingsboardeq1.2.3
thingsboardeq1.2.2
thingsboardeq2.5

Name	Operator	Version
thingsboard	eq	1.0
thingsboard	eq	1.3
thingsboard	eq	2.1.3
thingsboard	eq	2.0
thingsboard	eq	3.4.1
thingsboard	eq	1.2.1
thingsboard	eq	2.3
thingsboard	eq	1.2.3
thingsboard	eq	1.2.2
thingsboard	eq	2.5

Rows per page:

1-10 of 261

References

exchange.xforce.ibmcloud.com/vulnerabilities/238543

thingsboard.io/docs/reference/releases/

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.6%

JSON

Related for OSV:CVE-2022-48341