CVE-2022-24075 - OpenCVE

Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. When the HWP files were opened, the replaced script could read the files.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Navercorp	Whale

Configuration 1 [-]

cpe:2.3:a:navercorp:whale:*:*:*:*:*:*:*:*

References

Link	Resource
https://cve.naver.com/detail/cve-2022-24075	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: naver

Published: 2022-03-17T05:20:17

Updated: 2022-03-17T05:20:17

Reserved: 2022-01-27T00:00:00

Link: CVE-2022-24075

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-17T06:15:06.950

Modified: 2022-03-23T18:52:25.137

Link: CVE-2022-24075

JSON object: View

Redhat Information

No data.

CWE

CWE-552

{"containers": {"cna": {"affected": [{"product": "NAVER Whale browser", "vendor": "NAVER", "versions": [{"lessThan": "3.12.129.46", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Young Min Kim"}], "descriptions": [{"lang": "en", "value": "Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. When the HWP files were opened, the replaced script could read the files."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "description": "CWE-552: Files or Directories Accessible to External Parties", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-17T05:20:17", "orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6", "shortName": "naver"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cve.naver.com/detail/cve-2022-24075"}], "source": {"discovery": "EXTERNAL"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@navercorp.com", "ID": "CVE-2022-24075", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "NAVER Whale browser", "version": {"version_data": [{"version_affected": "<", "version_value": "3.12.129.46"}]}}]}, "vendor_name": "NAVER"}]}}, "credit": [{"lang": "eng", "value": "Young Min Kim"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. When the HWP files were opened, the replaced script could read the files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-552: Files or Directories Accessible to External Parties"}]}]}, "references": {"reference_data": [{"name": "https://cve.naver.com/detail/cve-2022-24075", "refsource": "CONFIRM", "url": "https://cve.naver.com/detail/cve-2022-24075"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6", "assignerShortName": "naver", "cveId": "CVE-2022-24075", "datePublished": "2022-03-17T05:20:17", "dateReserved": "2022-01-27T00:00:00", "dateUpdated": "2022-03-17T05:20:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:navercorp:whale:*:*:*:*:*:*:*:*", "matchCriteriaId": "47138F1B-655D-4459-905C-7BFA3A326DC5", "versionEndExcluding": "3.12.129.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. When the HWP files were opened, the replaced script could read the files."}, {"lang": "es", "value": "Whale browser versiones anteriores a 3.12.129.18, permit\u00eda que las extensiones sustituyeran a archivos JavaScript del sitio web del visualizador de HWP que pod\u00edan acceder a archivos locales de HWP. Cuando eran abiertos archivos HWP, el script sustituido pod\u00eda leer los archivos"}], "id": "CVE-2022-24075", "lastModified": "2022-03-23T18:52:25.137", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-17T06:15:06.950", "references": [{"source": "cve@navercorp.com", "tags": ["Vendor Advisory"], "url": "https://cve.naver.com/detail/cve-2022-24075"}], "sourceIdentifier": "cve@navercorp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-552"}], "source": "cve@navercorp.com", "type": "Secondary"}]}