CVE-2022-24414 - OpenCVE

Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attacks.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Dell	Cloudlink

Configuration 1 [-]

cpe:2.3:a:dell:cloudlink:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000197425/dsa-2022-064-dell-emc-cloudlink-security-update-for-security-vulnerabilities	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2022-03-16T00:00:00

Updated: 2022-05-26T15:20:17

Reserved: 2022-02-04T00:00:00

Link: CVE-2022-24414

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-26T16:15:07.920

Modified: 2022-06-07T17:21:15.767

Link: CVE-2022-24414

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "CloudLink", "vendor": "Dell", "versions": [{"lessThan": "7.1.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-03-16T00:00:00", "descriptions": [{"lang": "en", "value": "Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attacks."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-598", "description": "CWE-598: Information Exposure Through Query Strings in GET Request", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-26T15:20:17", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.dell.com/support/kbdoc/en-us/000197425/dsa-2022-064-dell-emc-cloudlink-security-update-for-security-vulnerabilities"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "DATE_PUBLIC": "2022-03-16", "ID": "CVE-2022-24414", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CloudLink", "version": {"version_data": [{"version_affected": "<", "version_value": "7.1.3"}]}}]}, "vendor_name": "Dell"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attacks."}]}, "impact": {"cvss": {"baseScore": 7.6, "baseSeverity": "High", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-598: Information Exposure Through Query Strings in GET Request"}]}]}, "references": {"reference_data": [{"name": "https://www.dell.com/support/kbdoc/en-us/000197425/dsa-2022-064-dell-emc-cloudlink-security-update-for-security-vulnerabilities", "refsource": "MISC", "url": "https://www.dell.com/support/kbdoc/en-us/000197425/dsa-2022-064-dell-emc-cloudlink-security-update-for-security-vulnerabilities"}]}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2022-24414", "datePublished": "2022-03-16T00:00:00", "dateReserved": "2022-02-04T00:00:00", "dateUpdated": "2022-05-26T15:20:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:cloudlink:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7C03153-CEE0-40A7-A11E-23F33E28FA2F", "versionEndIncluding": "7.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attacks."}, {"lang": "es", "value": "Dell EMC CloudLink versiones 7.1.3 y todas las versiones anteriores, el token de autenticaci\u00f3n es expuesto en las peticiones GET. Estos par\u00e1metros de petici\u00f3n pueden quedar registrados en los proxies inversos y en los registros del servidor. Los atacantes pueden usar potencialmente estos tokens para acceder al servidor de CloudLink. Los tokens no deben ser usados en la URL de la petici\u00f3n para evitar tales ataques"}], "id": "CVE-2022-24414", "lastModified": "2022-06-07T17:21:15.767", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2022-05-26T16:15:07.920", "references": [{"source": "security_alert@emc.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000197425/dsa-2022-064-dell-emc-cloudlink-security-update-for-security-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-598"}], "source": "security_alert@emc.com", "type": "Secondary"}]}