CVE-2022-44796 - OpenCVE

An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically strong sequences. An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI. This is fixed in Object First Ootbi BETA build 1.0.13.1611.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Objectfirst	Object First

Configuration 1 [-]

cpe:2.3:a:objectfirst:object_first:*:*:*:*:*:*:*:*

References

Link	Resource
https://objectfirst.com/security/of-20221024-0002/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-11-07T00:00:00

Updated: 2023-03-17T00:00:00

Reserved: 2022-11-07T00:00:00

Link: CVE-2022-44796

JSON object: View

NVD Information

Status : Modified

Published: 2022-11-07T04:15:09.600

Modified: 2023-03-17T21:15:11.303

Link: CVE-2022-44796

JSON object: View

Redhat Information

No data.

CWE

CWE-338

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:objectfirst:object_first:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F4D5F6B-0CA9-4A79-9A3D-453783ADA673", "versionEndExcluding": "1.0.13.1611", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically strong sequences. An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI. This is fixed in Object First Ootbi BETA build 1.0.13.1611."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en la compilaci\u00f3n 1.0.7.712 de Object First Ootbi BETA. El servicio de autorizaci\u00f3n tiene un flujo que permite acceder a la interfaz de usuario web sin conocer las credenciales. Para firmar, el token JWT utiliza una clave secreta que se genera a trav\u00e9s de una funci\u00f3n que no produce secuencias criptogr\u00e1ficamente fuertes. Un atacante puede predecir estas secuencias y generar un token JWT. Como resultado, un atacante puede obtener acceso a la interfaz de usuario web. Esto se solucion\u00f3 en la compilaci\u00f3n 1.0.13.1611 de Object First Ootbi BETA."}], "id": "CVE-2022-44796", "lastModified": "2023-03-17T21:15:11.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-07T04:15:09.600", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://objectfirst.com/security/of-20221024-0002/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "nvd@nist.gov", "type": "Primary"}]}