CVE-2022-25577 - OpenCVE

ALF-BanCO v8.2.5 and below was discovered to use a hardcoded password to encrypt the SQLite database containing the user's data. Attackers who are able to gain remote or local access to the system are able to read and modify the data.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Alf-banco	Alf-banco

Configuration 1 [-]

cpe:2.3:a:alf-banco:alf-banco:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/ph0nkybit/proof-of-concepts/tree/main/Use_Of_Hardcoded_Password_In_ALF-BanCO_8.2.x	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-25T16:17:30

Updated: 2022-03-25T16:17:30

Reserved: 2022-02-21T00:00:00

Link: CVE-2022-25577

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-25T17:15:08.720

Modified: 2022-03-31T01:17:55.747

Link: CVE-2022-25577

JSON object: View

Redhat Information

No data.

CWE

CWE-798

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alf-banco:alf-banco:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF4177EB-9609-4DC3-B02C-87E290B24DAA", "versionEndIncluding": "8.2.5", "versionStartIncluding": "8.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ALF-BanCO v8.2.5 and below was discovered to use a hardcoded password to encrypt the SQLite database containing the user's data. Attackers who are able to gain remote or local access to the system are able to read and modify the data."}, {"lang": "es", "value": "Se ha detectado que ALF-BanCO versiones v8.2.5 y anteriores, usa una contrase\u00f1a embebida para cifrar la base de datos SQLite que contiene los datos del usuario. Los atacantes que pueden conseguir acceso remoto o local al sistema pueden leer y modificar los datos"}], "id": "CVE-2022-25577", "lastModified": "2022-03-31T01:17:55.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-25T17:15:08.720", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ph0nkybit/proof-of-concepts/tree/main/Use_Of_Hardcoded_Password_In_ALF-BanCO_8.2.x"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}