CVE-2022-33146 - OpenCVE

Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Web2py	Web2py

Configuration 1 [-]

cpe:2.3:a:web2py:web2py:*:*:*:*:*:*:*:*

References

Link	Resource
http://web2py.com/	Product Vendor Advisory
https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451	Patch Third Party Advisory
https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110	Patch Third Party Advisory
https://jvn.jp/en/jp/JVN02158640/index.html	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2022-06-27T00:20:17

Updated: 2022-06-27T00:20:17

Reserved: 2022-06-14T00:00:00

Link: CVE-2022-33146

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-06-27T01:15:07.290

Modified: 2022-07-07T15:58:53.770

Link: CVE-2022-33146

JSON object: View

Redhat Information

No data.

CWE

CWE-601

{"containers": {"cna": {"affected": [{"product": "web2py", "vendor": "web2py", "versions": [{"status": "affected", "version": "versions prior to 2.22.5"}]}], "descriptions": [{"lang": "en", "value": "Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL."}], "problemTypes": [{"descriptions": [{"description": "Open Redirect", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-06-27T00:20:17", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://web2py.com/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN02158640/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2022-33146", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "web2py", "version": {"version_data": [{"version_value": "versions prior to 2.22.5"}]}}]}, "vendor_name": "web2py"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Open Redirect"}]}]}, "references": {"reference_data": [{"name": "http://web2py.com/", "refsource": "MISC", "url": "http://web2py.com/"}, {"name": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110", "refsource": "MISC", "url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"}, {"name": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451", "refsource": "MISC", "url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"}, {"name": "https://jvn.jp/en/jp/JVN02158640/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN02158640/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2022-33146", "datePublished": "2022-06-27T00:20:17", "dateReserved": "2022-06-14T00:00:00", "dateUpdated": "2022-06-27T00:20:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:web2py:web2py:*:*:*:*:*:*:*:*", "matchCriteriaId": "78A02AAA-61CB-45B9-8F00-E37DF170AD9E", "versionEndExcluding": "2.22.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL."}, {"lang": "es", "value": "Una vulnerabilidad de redireccionamiento abierto en las versiones de web2py anteriores a 2.22.5 permite a un atacante remoto redirigir a un usuario a un sitio web arbitrario y conducir un ataque de phishing haciendo que el usuario acceda a una URL especialmente dise\u00f1ada"}], "id": "CVE-2022-33146", "lastModified": "2022-07-07T15:58:53.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-27T01:15:07.290", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Product", "Vendor Advisory"], "url": "http://web2py.com/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451"}, {"source": "vultures@jpcert.or.jp", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://jvn.jp/en/jp/JVN02158640/index.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}