CVE-2022-2921 - OpenCVE

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Notrinos	Notrinoserp

Configuration 1 [-]

cpe:2.3:a:notrinos:notrinoserp:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45	Patch Third Party Advisory
https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-08-21T03:15:20

Updated: 2022-08-21T05:40:08

Reserved: 2022-08-21T00:00:00

Link: CVE-2022-2921

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-21T04:15:10.703

Modified: 2022-08-23T16:09:32.733

Link: CVE-2022-2921

JSON object: View

Redhat Information

No data.

CWE

CWE-359

{"containers": {"cna": {"affected": [{"product": "notrinos/notrinoserp", "vendor": "notrinos", "versions": [{"lessThan": "0.7", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-359", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-21T05:40:08", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45"}], "source": {"advisory": "51b32a1c-946b-4390-a212-b6c4b6e4115c", "discovery": "EXTERNAL"}, "title": "Exposure of Private Personal Information to an Unauthorized Actor in notrinos/notrinoserp", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-2921", "STATE": "PUBLIC", "TITLE": "Exposure of Private Personal Information to an Unauthorized Actor in notrinos/notrinoserp"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "notrinos/notrinoserp", "version": {"version_data": [{"version_affected": "<", "version_value": "0.7"}]}}]}, "vendor_name": "notrinos"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c"}, {"name": "https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45", "refsource": "MISC", "url": "https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45"}]}, "source": {"advisory": "51b32a1c-946b-4390-a212-b6c4b6e4115c", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-2921", "datePublished": "2022-08-21T03:15:20", "dateReserved": "2022-08-21T00:00:00", "dateUpdated": "2022-08-21T05:40:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:notrinos:notrinoserp:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DA2C016-D055-4DB8-AE79-4E8247EAD917", "versionEndExcluding": "0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions."}, {"lang": "es", "value": "Una Exposici\u00f3n de Informaci\u00f3n Personal Privada a un Actor no Autorizado en el repositorio GitHub notrinos/notrinoserp versiones anteriores a v0.7. Esto resulta en una escalada de privilegios a una cuenta de administrador del sistema. Un atacante puede conseguir acceso a funcionalidades protegidas como crear/actualizar empresas, instalar/actualizar idiomas, instalar/activar extensiones, instalar/activar temas y otras acciones permisivas."}], "id": "CVE-2022-2921", "lastModified": "2022-08-23T16:09:32.733", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-21T04:15:10.703", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-359"}], "source": "security@huntr.dev", "type": "Primary"}]}