CVE-2022-30622 - OpenCVE

Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Chcnav	P5e Gnss P5e Gnss Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:chcnav:p5e_gnss_firmware::::::::
	cpe:2.3:o:chcnav:p5e_gnss_firmware:4.2:::::::*

cpe:2.3:h:chcnav:p5e_gnss:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.gov.il/en/Departments/faq/cve_advisories	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCD

Published: 2022-07-13T00:00:00

Updated: 2022-07-17T20:11:56

Reserved: 2022-05-12T00:00:00

Link: CVE-2022-30622

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-17T21:15:08.803

Modified: 2022-07-28T13:37:01.893

Link: CVE-2022-30622

JSON object: View

Redhat Information

No data.

CWE

CWE-798

{"containers": {"cna": {"affected": [{"product": "Chcnav - P5E GNSS ", "vendor": "Chcnav", "versions": [{"lessThan": "4.1*", "status": "affected", "version": "4.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "MetaData"}], "datePublic": "2022-07-13T00:00:00", "descriptions": [{"lang": "en", "value": "Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Information disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-17T20:11:56", "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "shortName": "INCD"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "source": {"defect": ["ILVN-2022-0032"], "discovery": "EXTERNAL"}, "title": "Chcnav - P5E GNSS Information disclosure", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cyber.gov.il", "DATE_PUBLIC": "2022-07-13T11:59:00.000Z", "ID": "CVE-2022-30622", "STATE": "PUBLIC", "TITLE": "Chcnav - P5E GNSS Information disclosure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Chcnav - P5E GNSS ", "version": {"version_data": [{"version_affected": ">=", "version_name": "4.1", "version_value": "4.2"}]}}]}, "vendor_name": "Chcnav"}]}}, "credit": [{"lang": "eng", "value": "MetaData"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information disclosure"}]}]}, "references": {"reference_data": [{"name": "https://www.gov.il/en/Departments/faq/cve_advisories", "refsource": "MISC", "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}]}, "source": {"defect": ["ILVN-2022-0032"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "assignerShortName": "INCD", "cveId": "CVE-2022-30622", "datePublished": "2022-07-13T00:00:00", "dateReserved": "2022-05-12T00:00:00", "dateUpdated": "2022-07-17T20:11:56", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:chcnav:p5e_gnss_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D517250C-921A-494E-9B38-6154732AA2E5", "versionEndIncluding": "4.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:chcnav:p5e_gnss_firmware:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "B26293DB-77D5-4417-B72C-6EEDFE6151D5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:chcnav:p5e_gnss:-:*:*:*:*:*:*:*", "matchCriteriaId": "56783F0F-85AA-4B6F-BC24-3F7659A86567", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword."}, {"lang": "es", "value": "Una revelaci\u00f3n de informaci\u00f3n: el sistema permite visualizar los nombres de usuario y las contrase\u00f1as sin permisos, por lo que ser\u00e1 posible entrar en el sistema. Acceso a la ruta: http://api/sys_username_passwd.cmd - El servidor carga la petici\u00f3n de forma clara por defecto. La divulgaci\u00f3n de la informaci\u00f3n de cr\u00e9dito embebida en el c\u00f3digo JS que es enviado al cliente dentro del archivo Login.js es un usuario fuerte (que no est\u00e1 documentado) y tambi\u00e9n la contrase\u00f1a, que permiten el acceso de super usuario. Nombre de usuario: chcadmin, Contrase\u00f1a: chcpassword"}], "id": "CVE-2022-30622", "lastModified": "2022-07-28T13:37:01.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cna@cyber.gov.il", "type": "Secondary"}]}, "published": "2022-07-17T21:15:08.803", "references": [{"source": "cna@cyber.gov.il", "tags": ["Third Party Advisory"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "sourceIdentifier": "cna@cyber.gov.il", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}