CVE-2022-3342 - OpenCVE

Vendors	Products
Automattic	Jetpack Crm

Link	Resource
https://plugins.trac.wordpress.org/browser/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php?rev=2790863	Patch
https://plugins.trac.wordpress.org/changeset/2805282/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80?source=cve	Third Party Advisory

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-3342", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2022-09-27T15:00:10.109Z", "datePublished": "2023-10-20T07:29:24.289Z", "dateUpdated": "2023-10-20T07:29:24.289Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-10-20T07:29:24.289Z"}, "affected": [{"vendor": "automattic", "product": "Jetpack CRM \u2013 Clients, Leads, Invoices, Billing, Email Marketing, & Automation", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the \u2018zbscrmcsvimpf\u2019 parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. This allows an unauthenticated attacker to obtain object injection if they are able to upload a phar archive (for instance if the site supports image uploads) and then trick an administrator into performing an action, such as clicking a link."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php?rev=2790863"}, {"url": "https://plugins.trac.wordpress.org/changeset/2805282/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ramuel Gall"}], "timeline": [{"time": "2023-04-18T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:automattic:jetpack_crm:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "23B2D955-C8DB-410C-854D-E1276B683ABA", "versionEndIncluding": "5.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the \u2018zbscrmcsvimpf\u2019 parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. This allows an unauthenticated attacker to obtain object injection if they are able to upload a phar archive (for instance if the site supports image uploads) and then trick an administrator into performing an action, such as clicking a link."}, {"lang": "es", "value": "El complemento Jetpack CRM para WordPress es vulnerable a la deserializaci\u00f3n PHAR a trav\u00e9s del par\u00e1metro 'zbscrmcsvimpf' en la funci\u00f3n 'zeroBSCRM_CSVImporterLitehtml_app' en versiones hasta la 5.3.1 incluida. Si bien la funci\u00f3n realiza una verificaci\u00f3n nonce, los pasos 2 y 3 de la verificaci\u00f3n no realizan ninguna acci\u00f3n ante una verificaci\u00f3n fallida. Luego, estos pasos realizan una verificaci\u00f3n de 'file_exists' en el valor de 'zbscrmcsvimpf'. Si se proporciona un archivo phar://, su contenido se deserializar\u00e1 y se inyectar\u00e1 un objeto en el flujo de ejecuci\u00f3n. Esto permite a un atacante no autenticado obtener una inyecci\u00f3n de objetos si puede cargar un archivo phar (por ejemplo, si el sitio admite la carga de im\u00e1genes) y luego enga\u00f1ar a un administrador para que realice una acci\u00f3n, como hacer click en un enlace."}], "id": "CVE-2022-3342", "lastModified": "2023-11-07T03:51:08.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2023-10-20T08:15:11.787", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/browser/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php?rev=2790863"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/2805282/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

JSON object

JSON object

JSON object