CVE-2022-1766 - Vulnerability Details - OpenCVE

Anchore Enterprise anchorectl version 0.1.4 improperly stored credentials when generating a Software Bill of Materials. anchorectl will add the credentials used to access Anchore Enterprise API in the Software Bill of Materials (SBOM) generated by anchorectl. Users of anchorectl version 0.1.4 should upgrade to anchorectl version 0.1.5 to resolve this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00276.

Key SSVC decision points have not yet been added.

Vendors	Products
Anchore	Anchore Anchorectl

Configuration 1 [-]

OR	cpe:2.3:a:anchore:anchore:::::enterprise:::*
	cpe:2.3:a:anchore:anchorectl::::::::

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://docs.anchore.com/current/docs/releasenotes/401/

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2022-07-20T16:10:10.790146Z

Updated: 2024-09-16T20:36:35.624Z

Reserved: 2022-05-17T00:00:00

Link: CVE-2022-1766

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-07-20T16:15:08.847

Modified: 2024-11-21T06:41:25.280

Link: CVE-2022-1766

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Anchore Enterprise", "vendor": "Anchore Inc.", "versions": [{"lessThan": "4.0.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "AnchoreCTL", "vendor": "Anchore Inc.", "versions": [{"lessThan": "0.1.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-04-29T00:00:00", "descriptions": [{"lang": "en", "value": "Anchore Enterprise anchorectl version 0.1.4 improperly stored credentials when generating a Software Bill of Materials. anchorectl will add the credentials used to access Anchore Enterprise API in the Software Bill of Materials (SBOM) generated by anchorectl. Users of anchorectl version 0.1.4 should upgrade to anchorectl version 0.1.5 to resolve this issue."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-20T16:10:10", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://docs.anchore.com/current/docs/releasenotes/401/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "DATE_PUBLIC": "2022-04-29T00:00:00.000Z", "ID": "CVE-2022-1766", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Anchore Enterprise", "version": {"version_data": [{"version_affected": "<", "version_value": "4.0.1"}]}}, {"product_name": "AnchoreCTL", "version": {"version_data": [{"version_affected": "<", "version_value": "0.1.5"}]}}]}, "vendor_name": "Anchore Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Anchore Enterprise anchorectl version 0.1.4 improperly stored credentials when generating a Software Bill of Materials. anchorectl will add the credentials used to access Anchore Enterprise API in the Software Bill of Materials (SBOM) generated by anchorectl. Users of anchorectl version 0.1.4 should upgrade to anchorectl version 0.1.5 to resolve this issue."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522: Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "https://docs.anchore.com/current/docs/releasenotes/401/", "refsource": "CONFIRM", "url": "https://docs.anchore.com/current/docs/releasenotes/401/"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:16:59.940Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://docs.anchore.com/current/docs/releasenotes/401/"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2022-1766", "datePublished": "2022-07-20T16:10:10.790146Z", "dateReserved": "2022-05-17T00:00:00", "dateUpdated": "2024-09-16T20:36:35.624Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anchore:anchore:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B43A82E5-3142-4725-8B35-0DA055379092", "versionEndExcluding": "4.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:anchore:anchorectl:*:*:*:*:*:*:*:*", "matchCriteriaId": "8723B20C-E50A-4443-8E69-BA67939A7D5F", "versionEndExcluding": "0.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Anchore Enterprise anchorectl version 0.1.4 improperly stored credentials when generating a Software Bill of Materials. anchorectl will add the credentials used to access Anchore Enterprise API in the Software Bill of Materials (SBOM) generated by anchorectl. Users of anchorectl version 0.1.4 should upgrade to anchorectl version 0.1.5 to resolve this issue."}, {"lang": "es", "value": "Anchorectl versi\u00f3n 0.1.4, almacena inapropiadamente las credenciales cuando genera una lista de materiales de software. anchorectl a\u00f1adir\u00e1 las credenciales usadas para acceder a la API de Anchore Enterprise en la lista de materiales de software (SBOM) generada por anchorectl. Los usuarios de anchorectl versi\u00f3n 0.1.4, deben actualizar a anchorectl versi\u00f3n 0.1.5 para resolver este problema"}], "id": "CVE-2022-1766", "lastModified": "2024-11-21T06:41:25.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-20T16:15:08.847", "references": [{"source": "cret@cert.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.anchore.com/current/docs/releasenotes/401/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.anchore.com/current/docs/releasenotes/401/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "cret@cert.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}