CVE-2022-27332 - OpenCVE

An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a Denial of Service (DoS).

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Zammad	Zammad

Configuration 1 [-]

cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*

References

Link	Resource
https://zammad.com/en/advisories/zaa-2022-01	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-04-27T02:47:10

Updated: 2022-04-27T02:47:10

Reserved: 2022-03-21T00:00:00

Link: CVE-2022-27332

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-27T03:15:39.610

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-27332

JSON object: View

Redhat Information

No data.

CWE

CWE-306

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*", "matchCriteriaId": "8130D2A5-8D31-464A-BD93-8B2806F36BA4", "versionEndExcluding": "5.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a Denial of Service (DoS)."}, {"lang": "es", "value": "Un problema de control de acceso en Zammad versi\u00f3n v5.0.3, permite a atacantes escribir entradas en el registro de llamadas de CTI sin autenticaci\u00f3n. Esta vulnerabilidad puede permitir a atacantes ejecutar ataques de phishing o causar una Denegaci\u00f3n de Servicio (DoS)"}], "id": "CVE-2022-27332", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-27T03:15:39.610", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://zammad.com/en/advisories/zaa-2022-01"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}