CVE-2022-38118 - OpenCVE

OAKlouds Portal website’s Meeting Room has insufficient validation for user input. A remote attacker with general user privilege can perform SQL-injection to access, modify, delete database, perform system operations and disrupt service.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hgiga	Oaklouds Portal

Configuration 1 [-]

OR	cpe:2.3:a:hgiga:oaklouds_portal::::::::
	cpe:2.3:a:hgiga:oaklouds_portal::::::::

References

Link	Resource
https://www.chtsecurity.com/news/0a893178-5c64-4f1c-87f1-95cbf1e17c87	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-6461-25c4b-1.html	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: twcert

Published: 2022-08-30T00:00:00

Updated: 2022-09-16T14:51:14

Reserved: 2022-08-10T00:00:00

Link: CVE-2022-38118

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-30T05:15:08.047

Modified: 2022-10-01T02:28:40.240

Link: CVE-2022-38118

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"platforms": ["OAKlouds-mol_metting-2.0"], "product": "OAKlouds", "vendor": "HGiga", "versions": [{"lessThanOrEqual": "OAKlouds-mol_metting-2.0-163", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"platforms": ["OAKlouds-mol_metting-3.0"], "product": "OAKlouds", "vendor": "HGiga", "versions": [{"lessThanOrEqual": "OAKlouds-mol_metting-3.0-163", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-08-30T00:00:00", "descriptions": [{"lang": "en", "value": "OAKlouds Portal website\u2019s Meeting Room has insufficient validation for user input. A remote attacker with general user privilege can perform SQL-injection to access, modify, delete database, perform system operations and disrupt service."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-16T14:51:14", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-6461-25c4b-1.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.chtsecurity.com/news/0a893178-5c64-4f1c-87f1-95cbf1e17c87"}], "solutions": [{"lang": "en", "value": "OAKlouds-mol_metting-2.0 update version to OAKlouds-mol_metting-2.0-164\nOAKlouds-mol_metting-3.0 update version to OAKlouds-mol_metting-3.0-164"}], "source": {"advisory": "TVN-202208003", "discovery": "EXTERNAL"}, "title": "HGiga OAKlouds - SQL Injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2022-08-30T04:05:00.000Z", "ID": "CVE-2022-38118", "STATE": "PUBLIC", "TITLE": "HGiga OAKlouds - SQL Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OAKlouds", "version": {"version_data": [{"platform": "OAKlouds-mol_metting-2.0", "version_affected": "<=", "version_value": "OAKlouds-mol_metting-2.0-163"}, {"platform": "OAKlouds-mol_metting-3.0", "version_affected": "<=", "version_value": "OAKlouds-mol_metting-3.0-163"}]}}]}, "vendor_name": "HGiga"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OAKlouds Portal website\u2019s Meeting Room has insufficient validation for user input. A remote attacker with general user privilege can perform SQL-injection to access, modify, delete database, perform system operations and disrupt service."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-6461-25c4b-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-6461-25c4b-1.html"}, {"name": "https://www.chtsecurity.com/news/0a893178-5c64-4f1c-87f1-95cbf1e17c87", "refsource": "MISC", "url": "https://www.chtsecurity.com/news/0a893178-5c64-4f1c-87f1-95cbf1e17c87"}]}, "solution": [{"lang": "en", "value": "OAKlouds-mol_metting-2.0 update version to OAKlouds-mol_metting-2.0-164\nOAKlouds-mol_metting-3.0 update version to OAKlouds-mol_metting-3.0-164"}], "source": {"advisory": "TVN-202208003", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2022-38118", "datePublished": "2022-08-30T00:00:00", "dateReserved": "2022-08-10T00:00:00", "dateUpdated": "2022-09-16T14:51:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hgiga:oaklouds_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "286C164A-D522-471F-903B-1EB82E7F9BBD", "versionEndIncluding": "2.0-163", "versionStartIncluding": "2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hgiga:oaklouds_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1368AA8-FB06-4A14-8A2C-335E51A79376", "versionEndIncluding": "3.0-163", "versionStartIncluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OAKlouds Portal website\u2019s Meeting Room has insufficient validation for user input. A remote attacker with general user privilege can perform SQL-injection to access, modify, delete database, perform system operations and disrupt service."}, {"lang": "es", "value": "La Sala de Reuniones del Portal OAKlouds presenta una comprobaci\u00f3n insuficiente para la entrada de usuarios. Un atacante remoto con privilegio de usuario general puede llevar a cabo una inyecci\u00f3n SQL para acceder, modificar, eliminar la base de datos, llevar a cabo operaciones del sistema e interrumpir el servicio"}], "id": "CVE-2022-38118", "lastModified": "2022-10-01T02:28:40.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2022-08-30T05:15:08.047", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/0a893178-5c64-4f1c-87f1-95cbf1e17c87"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.twcert.org.tw/tw/cp-132-6461-25c4b-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}