CVE-2022-34621 - OpenCVE

Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Mealie	Mealie

Configuration 1 [-]

OR	cpe:2.3:a:mealie:mealie:0.5.5:::::::*
	cpe:2.3:a:mealie:mealie:1.0.0:beta3::::::

References

Link	Resource
https://cwe.mitre.org/data/definitions/639.html	Third Party Advisory
https://docs.mealie.io/changelog/v0.5.6/	Release Notes Third Party Advisory
https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/	Third Party Advisory
https://hub.docker.com/r/hkotel/mealie	Product Third Party Advisory
https://portswigger.net/web-security/access-control/idor	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-08-19T13:21:24

Updated: 2022-08-19T13:21:24

Reserved: 2022-06-26T00:00:00

Link: CVE-2022-34621

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-19T14:15:08.333

Modified: 2022-08-23T17:46:25.737

Link: CVE-2022-34621

JSON object: View

Redhat Information

No data.

CWE

CWE-639

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-19T13:21:24", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://portswigger.net/web-security/access-control/idor"}, {"tags": ["x_refsource_MISC"], "url": "https://cwe.mitre.org/data/definitions/639.html"}, {"tags": ["x_refsource_MISC"], "url": "https://hub.docker.com/r/hkotel/mealie"}, {"tags": ["x_refsource_MISC"], "url": "https://docs.mealie.io/changelog/v0.5.6/"}, {"tags": ["x_refsource_MISC"], "url": "https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-34621", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://portswigger.net/web-security/access-control/idor", "refsource": "MISC", "url": "https://portswigger.net/web-security/access-control/idor"}, {"name": "https://cwe.mitre.org/data/definitions/639.html", "refsource": "MISC", "url": "https://cwe.mitre.org/data/definitions/639.html"}, {"name": "https://hub.docker.com/r/hkotel/mealie", "refsource": "MISC", "url": "https://hub.docker.com/r/hkotel/mealie"}, {"name": "https://docs.mealie.io/changelog/v0.5.6/", "refsource": "MISC", "url": "https://docs.mealie.io/changelog/v0.5.6/"}, {"name": "https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/", "refsource": "MISC", "url": "https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-34621", "datePublished": "2022-08-19T13:21:24", "dateReserved": "2022-06-26T00:00:00", "dateUpdated": "2022-08-19T13:21:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mealie:mealie:0.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "10C41CD5-5C61-460E-9B99-DED00F430FAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:mealie:mealie:1.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "99A25AF5-BEFA-4807-A4FE-33A3A7C6980A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter."}, {"lang": "es", "value": "Se ha detectado que Mealie versi\u00f3n 1.0.0beta3, contiene una vulnerabilidad de Referencia Directa a Objetos Insegura (IDOR) que permite a atacantes modificar las contrase\u00f1as de los usuarios y otros atributos por medio de la modificaci\u00f3n del par\u00e1metro user_id."}], "id": "CVE-2022-34621", "lastModified": "2022-08-23T17:46:25.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-19T14:15:08.333", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://cwe.mitre.org/data/definitions/639.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://docs.mealie.io/changelog/v0.5.6/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://hub.docker.com/r/hkotel/mealie"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://portswigger.net/web-security/access-control/idor"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}