CVE-2022-1065 - OpenCVE

A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Abacus	Abacus Erp 2018 Abacus Erp 2019 Abacus Erp 2020 Abacus Erp 2021 Abacus Erp 2022

Configuration 1 [-]

OR	cpe:2.3:a:abacus:abacus_erp_2018::::::::
	cpe:2.3:a:abacus:abacus_erp_2019::::::::
	cpe:2.3:a:abacus:abacus_erp_2020::::::::
	cpe:2.3:a:abacus:abacus_erp_2021::::::::
	cpe:2.3:a:abacus:abacus_erp_2022::::::::

No data.

References

Link	Providers
https://www.redguard.ch/advisories/abacus_mfa_bypass.txt

History

No history.

MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2022-04-19T07:50:10

Updated: 2024-08-02T23:47:43.377Z

Reserved: 2022-03-24T00:00:00

Link: CVE-2022-1065

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-19T08:15:06.810

Modified: 2022-04-27T14:56:08.903

Link: CVE-2022-1065

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Abacus ERP", "vendor": "Abacus Research AG", "versions": [{"lessThan": "R1 of 2022-01-15", "status": "affected", "version": "v2022", "versionType": "custom"}, {"lessThan": "R4 of 2022-01-15", "status": "affected", "version": "v2021", "versionType": "custom"}, {"lessThan": "R6 of 2022-01-15", "status": "affected", "version": "v2020", "versionType": "custom"}, {"changes": [{"at": "R5 of 2020-03-15", "status": "affected"}], "lessThan": "v2019*", "status": "affected", "version": "R5 (service pack)", "versionType": "custom"}, {"changes": [{"at": "R7 of 2020-04-15", "status": "affected"}], "lessThan": "v2018*", "status": "affected", "version": "R5 (service pack)", "versionType": "custom"}, {"lessThanOrEqual": "and prior versions", "status": "unaffected", "version": "v2017", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Roman Gribi, Redguard AG"}], "descriptions": [{"lang": "en", "value": "A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-304", "description": "CWE-304 Missing Critical Step in Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T07:50:10", "orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.redguard.ch/advisories/abacus_mfa_bypass.txt"}], "solutions": [{"lang": "en", "value": "Install the available hot fixes and / or service packs from 2022-01-15 or newer"}], "source": {"discovery": "EXTERNAL"}, "title": "Multi Factor Authentication Bypass in various versions of Abacus ERP", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerability@ncsc.ch", "ID": "CVE-2022-1065", "STATE": "PUBLIC", "TITLE": "Multi Factor Authentication Bypass in various versions of Abacus ERP"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Abacus ERP", "version": {"version_data": [{"version_affected": "<", "version_name": "v2022", "version_value": "R1 of 2022-01-15"}, {"version_affected": "<", "version_name": "v2021", "version_value": "R4 of 2022-01-15"}, {"version_affected": "<", "version_name": "v2020", "version_value": "R6 of 2022-01-15"}, {"version_affected": ">", "version_name": "v2019", "version_value": "R5 (service pack)"}, {"version_affected": ">", "version_name": "v2018", "version_value": "R5 (service pack)"}, {"version_affected": "!<", "version_name": "v2019", "version_value": "R5 of 2020-03-15"}, {"version_affected": "!<", "version_name": "v2018", "version_value": "R7 of 2020-04-15"}, {"version_affected": "!<=", "version_name": "v2017", "version_value": "and prior versions"}]}}]}, "vendor_name": "Abacus Research AG"}]}}, "credit": [{"lang": "eng", "value": "Roman Gribi, Redguard AG"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-304 Missing Critical Step in Authentication"}]}]}, "references": {"reference_data": [{"name": "https://www.redguard.ch/advisories/abacus_mfa_bypass.txt", "refsource": "CONFIRM", "url": "https://www.redguard.ch/advisories/abacus_mfa_bypass.txt"}]}, "solution": [{"lang": "en", "value": "Install the available hot fixes and / or service packs from 2022-01-15 or newer"}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:47:43.377Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.redguard.ch/advisories/abacus_mfa_bypass.txt"}]}]}, "cveMetadata": {"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "assignerShortName": "NCSC.ch", "cveId": "CVE-2022-1065", "datePublished": "2022-04-19T07:50:10", "dateReserved": "2022-03-24T00:00:00", "dateUpdated": "2024-08-02T23:47:43.377Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abacus:abacus_erp_2018:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E6374E0-5722-4E67-8D3D-7064972155DF", "versionStartIncluding": "r7", "vulnerable": true}, {"criteria": "cpe:2.3:a:abacus:abacus_erp_2019:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE33C1DA-93EA-4EF0-A997-73065915A281", "versionStartIncluding": "r5", "vulnerable": true}, {"criteria": "cpe:2.3:a:abacus:abacus_erp_2020:*:*:*:*:*:*:*:*", "matchCriteriaId": "5661E368-AF11-4AC0-9169-D1C5BBD698AC", "versionEndExcluding": "r6", "vulnerable": true}, {"criteria": "cpe:2.3:a:abacus:abacus_erp_2021:*:*:*:*:*:*:*:*", "matchCriteriaId": "C33CFF07-8293-4A50-9877-2521D655725D", "versionEndExcluding": "r4", "vulnerable": true}, {"criteria": "cpe:2.3:a:abacus:abacus_erp_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E9364AB-33D8-43C2-8202-4562DC60F069", "versionEndExcluding": "r1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-01-15; v2021 versions prior to R4 of 2022-01-15; v2020 versions prior to R6 of 2022-01-15; v2019 versions later than R5 (service pack); v2018 versions later than R5 (service pack). This issue does not affect: Abacus ERP v2019 versions prior to R5 of 2020-03-15; v2018 versions prior to R7 of 2020-04-15; v2017 version and prior versions and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad en el proceso de autenticaci\u00f3n de Abacus ERP permite a un atacante remoto omitir el segundo factor de autenticaci\u00f3n. Este problema afecta a: Abacus ERP v2022 versiones anteriores a R1 de 15-01-2022; v2021 versiones anteriores a R4 de 15-01-2022; v2020 versiones anteriores a R6 de 15-01-2022; v2019 versiones posteriores a R5 (service pack); v2018 versiones posteriores a R5 (service pack). Este problema no afecta a: Abacus ERP v2019 versiones anteriores a R5 de 15-03-2020; v2018 versiones anteriores a R7 de 15-04-2020; v2017 versi\u00f3n y versiones anteriores y versiones anteriores"}], "id": "CVE-2022-1065", "lastModified": "2022-04-27T14:56:08.903", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2022-04-19T08:15:06.810", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.redguard.ch/advisories/abacus_mfa_bypass.txt"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-304"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}