CVE-2022-23183 - OpenCVE

Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Advancedcustomfields	Advanced Custom Fields

Configuration 1 [-]

OR	cpe:2.3:a:advancedcustomfields:advanced_custom_fields:::::-:wordpress::
	cpe:2.3:a:advancedcustomfields:advanced_custom_fields:::::pro:wordpress::

References

Link	Resource
https://jvn.jp/en/jp/JVN42543427/index.html	Third Party Advisory
https://wordpress.org/plugins/advanced-custom-fields/	Product Third Party Advisory
https://www.advancedcustomfields.com/	Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2022-03-31T07:20:54

Updated: 2022-03-31T07:20:54

Reserved: 2022-02-18T00:00:00

Link: CVE-2022-23183

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-31T08:15:08.257

Modified: 2022-04-07T20:02:20.227

Link: CVE-2022-23183

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"containers": {"cna": {"affected": [{"product": "Advanced Custom Fields", "vendor": "Delicious Brains", "versions": [{"status": "affected", "version": "Advanced Custom Fields versions prior to 5.12.1, and Advanced Custom Fields Pro versions prior to 5.12.1"}]}], "descriptions": [{"lang": "en", "value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission."}], "problemTypes": [{"descriptions": [{"description": "Missing authorization", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-31T07:20:54", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.advancedcustomfields.com/"}, {"tags": ["x_refsource_MISC"], "url": "https://wordpress.org/plugins/advanced-custom-fields/"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN42543427/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2022-23183", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Advanced Custom Fields", "version": {"version_data": [{"version_value": "Advanced Custom Fields versions prior to 5.12.1, and Advanced Custom Fields Pro versions prior to 5.12.1"}]}}]}, "vendor_name": "Delicious Brains"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Missing authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.advancedcustomfields.com/", "refsource": "MISC", "url": "https://www.advancedcustomfields.com/"}, {"name": "https://wordpress.org/plugins/advanced-custom-fields/", "refsource": "MISC", "url": "https://wordpress.org/plugins/advanced-custom-fields/"}, {"name": "https://jvn.jp/en/jp/JVN42543427/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN42543427/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2022-23183", "datePublished": "2022-03-31T07:20:54", "dateReserved": "2022-02-18T00:00:00", "dateUpdated": "2022-03-31T07:20:54", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:-:wordpress:*:*", "matchCriteriaId": "3DDE767C-FF73-4C33-BED6-F8FDB093DE52", "versionEndExcluding": "5.12.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:pro:wordpress:*:*", "matchCriteriaId": "23698E76-F1B5-4CAB-BF70-711627DE557F", "versionEndExcluding": "5.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission."}, {"lang": "es", "value": "Una vulnerabilidad de falta de autorizaci\u00f3n en Advanced Custom Fields versiones anteriores a 5.12.1 y en Advanced Custom Fields Pro versiones anteriores a 5.12.1, permite a un atacante remoto autenticado visualizar la informaci\u00f3n de la base de datos sin el permiso de acceso"}], "id": "CVE-2022-23183", "lastModified": "2022-04-07T20:02:20.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-31T08:15:08.257", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN42543427/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product", "Third Party Advisory"], "url": "https://wordpress.org/plugins/advanced-custom-fields/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product", "Vendor Advisory"], "url": "https://www.advancedcustomfields.com/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}