CVE-2022-24875

The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4	Patch Third Party Advisory
https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m	Third Party Advisory
https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4	Patch Third Party Advisory
https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cve:cve-services:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-04-21 18:15

Updated : 2024-11-21 06:51

NVD link : CVE-2022-24875

Mitre link : CVE-2022-24875

CVE.ORG link : CVE-2022-24875

JSON object : View

Products Affected

cve

cve-services

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2022-24875", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-04-21T18:15:08.767", "references": [{"url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate."}, {"lang": "es", "value": "CVEProject/cve-services es un proyecto de c\u00f3digo abierto usado para operar la api de servicios CVE. En versiones hasta 1.1.1 incluy\u00e9ndola, el c\u00f3digo \"org.conroller.js\" registraba err\u00f3neamente los secretos del usuario. Esto ha sido resuelto en el commit \"46d98f2b\" y deber\u00eda estar disponible en versiones posteriores del software. Es recomendado a usuarios del software que apliquen manualmente el commit \"46d98f2b\" o que actualicen cuando est\u00e9 disponible una nueva versi\u00f3n. Como mitigaci\u00f3n, los usuarios deben inspeccionar sus registros y eliminar los secretos registrados seg\u00fan corresponda"}], "lastModified": "2024-11-21T06:51:17.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cve:cve-services:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8561D10-82C9-42AA-8DA7-335EB2E36246", "versionEndIncluding": "1.1.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}