CVE-2022-1065 - OpenCVE

A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Abacus	Abacus Erp 2021 Abacus Erp 2022 Abacus Erp 2019 Abacus Erp 2020 Abacus Erp 2018

Configuration 1 [-]

OR	cpe:2.3:a:abacus:abacus_erp_2018::::::::
	cpe:2.3:a:abacus:abacus_erp_2019::::::::
	cpe:2.3:a:abacus:abacus_erp_2020::::::::
	cpe:2.3:a:abacus:abacus_erp_2021::::::::
	cpe:2.3:a:abacus:abacus_erp_2022::::::::

References

Link	Resource
https://www.redguard.ch/advisories/abacus_mfa_bypass.txt	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2022-04-19T07:50:10

Updated: 2022-04-19T07:50:10

Reserved: 2022-03-24T00:00:00

Link: CVE-2022-1065

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-19T08:15:06.810

Modified: 2022-04-27T14:56:08.903

Link: CVE-2022-1065

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Abacus ERP", "vendor": "Abacus Research AG", "versions": [{"lessThan": "R1 of 2022-01-15", "status": "affected", "version": "v2022", "versionType": "custom"}, {"lessThan": "R4 of 2022-01-15", "status": "affected", "version": "v2021", "versionType": "custom"}, {"lessThan": "R6 of 2022-01-15", "status": "affected", "version": "v2020", "versionType": "custom"}, {"changes": [{"at": "R5 of 2020-03-15", "status": "affected"}], "lessThan": "v2019*", "status": "affected", "version": "R5 (service pack)", "versionType": "custom"}, {"changes": [{"at": "R7 of 2020-04-15", "status": "affected"}], "lessThan": "v2018*", "status": "affected", "version": "R5 (service pack)", "versionType": "custom"}, {"lessThanOrEqual": "and prior versions", "status": "unaffected", "version": "v2017", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Roman Gribi, Redguard AG"}], "descriptions": [{"lang": "en", "value": "A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-304", "description": "CWE-304 Missing Critical Step in Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T07:50:10", "orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.redguard.ch/advisories/abacus_mfa_bypass.txt"}], "solutions": [{"lang": "en", "value": "Install the available hot fixes and / or service packs from 2022-01-15 or newer"}], "source": {"discovery": "EXTERNAL"}, "title": "Multi Factor Authentication Bypass in various versions of Abacus ERP", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2022-1065", "STATE": "PUBLIC", "TITLE": "Multi Factor Authentication Bypass in various versions of Abacus ERP"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Abacus ERP", "version": {"version_data": [{"version_affected": "<", "version_name": "v2022", "version_value": "R1 of 2022-01-15"}, {"version_affected": "<", "version_name": "v2021", "version_value": "R4 of 2022-01-15"}, {"version_affected": "<", "version_name": "v2020", "version_value": "R6 of 2022-01-15"}, {"version_affected": ">", "version_name": "v2019", "version_value": "R5 (service pack)"}, {"version_affected": ">", "version_name": "v2018", "version_value": "R5 (service pack)"}, {"version_affected": "!<", "version_name": "v2019", "version_value": "R5 of 2020-03-15"}, {"version_affected": "!<", "version_name": "v2018", "version_value": "R7 of 2020-04-15"}, {"version_affected": "!<=", "version_name": "v2017", "version_value": "and prior versions"}]}}]}, "vendor_name": "Abacus Research AG"}]}}, "credit": [{"lang": "eng", "value": "Roman Gribi, Redguard AG"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-304 Missing Critical Step in Authentication"}]}]}, "references": {"reference_data": [{"name": "https://www.redguard.ch/advisories/abacus_mfa_bypass.txt", "refsource": "CONFIRM", "url": "https://www.redguard.ch/advisories/abacus_mfa_bypass.txt"}]}, "solution": [{"lang": "en", "value": "Install the available hot fixes and / or service packs from 2022-01-15 or newer"}], "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "assignerShortName": "NCSC.ch", "cveId": "CVE-2022-1065", "datePublished": "2022-04-19T07:50:10", "dateReserved": "2022-03-24T00:00:00", "dateUpdated": "2022-04-19T07:50:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abacus:abacus_erp_2018:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E6374E0-5722-4E67-8D3D-7064972155DF", "versionStartIncluding": "r7", "vulnerable": true}, {"criteria": "cpe:2.3:a:abacus:abacus_erp_2019:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE33C1DA-93EA-4EF0-A997-73065915A281", "versionStartIncluding": "r5", "vulnerable": true}, {"criteria": "cpe:2.3:a:abacus:abacus_erp_2020:*:*:*:*:*:*:*:*", "matchCriteriaId": "5661E368-AF11-4AC0-9169-D1C5BBD698AC", "versionEndExcluding": "r6", "vulnerable": true}, {"criteria": "cpe:2.3:a:abacus:abacus_erp_2021:*:*:*:*:*:*:*:*", "matchCriteriaId": "C33CFF07-8293-4A50-9877-2521D655725D", "versionEndExcluding": "r4", "vulnerable": true}, {"criteria": "cpe:2.3:a:abacus:abacus_erp_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E9364AB-33D8-43C2-8202-4562DC60F069", "versionEndExcluding": "r1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad en el proceso de autenticaci\u00f3n de Abacus ERP permite a un atacante remoto omitir el segundo factor de autenticaci\u00f3n. Este problema afecta a: Abacus ERP v2022 versiones anteriores a R1 de 15-01-2022; v2021 versiones anteriores a R4 de 15-01-2022; v2020 versiones anteriores a R6 de 15-01-2022; v2019 versiones posteriores a R5 (service pack); v2018 versiones posteriores a R5 (service pack). Este problema no afecta a: Abacus ERP v2019 versiones anteriores a R5 de 15-03-2020; v2018 versiones anteriores a R7 de 15-04-2020; v2017 versi\u00f3n y versiones anteriores y versiones anteriores"}], "id": "CVE-2022-1065", "lastModified": "2022-04-27T14:56:08.903", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2022-04-19T08:15:06.810", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.redguard.ch/advisories/abacus_mfa_bypass.txt"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-304"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}