CVE-2022-1026 - OpenCVE

Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Kyocera	Net Viewer

Configuration 1 [-]

cpe:2.3:a:kyocera:net_viewer:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2022-04-04.html	Vendor Advisory
https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: rapid7

Published: 2022-03-29T00:00:00

Updated: 2022-04-04T14:15:18

Reserved: 2022-03-18T00:00:00

Link: CVE-2022-1026

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-04T15:15:09.307

Modified: 2022-04-12T17:20:53.310

Link: CVE-2022-1026

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"containers": {"cna": {"affected": [{"product": "Multifunction Printer Net Viewer", "vendor": "Kyocera", "versions": [{"lessThanOrEqual": "2S0_1000.005.0012S5_2000.002.505", "status": "affected", "version": "2S0_1000.005.0012S5_2000.002.505", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Aaron Herndon, Rapid7"}], "datePublic": "2022-03-29T00:00:00", "descriptions": [{"lang": "en", "value": "Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-04T14:15:18", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2022-04-04.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/"}], "source": {"discovery": "EXTERNAL"}, "title": "Kyocera Net View Address Book Exposure", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2022-03-29T13:05:00.000Z", "ID": "CVE-2022-1026", "STATE": "PUBLIC", "TITLE": "Kyocera Net View Address Book Exposure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Multifunction Printer Net Viewer", "version": {"version_data": [{"version_affected": "<=", "version_name": "2S0_1000.005.0012S5_2000.002.505", "version_value": "2S0_1000.005.0012S5_2000.002.505"}]}}]}, "vendor_name": "Kyocera"}]}}, "credit": [{"lang": "eng", "value": "Aaron Herndon, Rapid7"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522 Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2022-04-04.html", "refsource": "CONFIRM", "url": "https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2022-04-04.html"}, {"name": "https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/", "refsource": "MISC", "url": "https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2022-1026", "datePublished": "2022-03-29T00:00:00", "dateReserved": "2022-03-18T00:00:00", "dateUpdated": "2022-04-04T14:15:18", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kyocera:net_viewer:*:*:*:*:*:*:*:*", "matchCriteriaId": "B331E123-C9CF-40AE-AB42-01AF14C3C855", "versionEndIncluding": "2s0_1000.005.0012s5_2000.002.505", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function."}, {"lang": "es", "value": "Las impresoras multifunci\u00f3n Kyocera que ejecutan versiones vulnerables de Net View exponen involuntariamente informaci\u00f3n confidencial del usuario, incluyendo nombres de usuario y contrase\u00f1as, mediante una funci\u00f3n de exportaci\u00f3n de la libreta de direcciones insuficientemente protegida"}], "id": "CVE-2022-1026", "lastModified": "2022-04-12T17:20:53.310", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2022-04-04T15:15:09.307", "references": [{"source": "cve@rapid7.com", "tags": ["Vendor Advisory"], "url": "https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2022-04-04.html"}, {"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "cve@rapid7.com", "type": "Secondary"}]}