CVE-2022-2192 - OpenCVE

Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hypr	Hypr Server

Configuration 1 [-]

cpe:2.3:a:hypr:hypr_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.hypr.com/security-advisories/

History

No history.

MITRE

Status: PUBLISHED

Assigner: HYPR

Published: 2022-07-19T14:07:38

Updated: 2024-08-03T00:32:08.717Z

Reserved: 2022-06-23T00:00:00

Link: CVE-2022-2192

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-19T15:15:08.547

Modified: 2022-07-27T07:23:43.320

Link: CVE-2022-2192

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "HYPR Server", "vendor": "HYPR", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "next of 6.10", "versionType": "custom"}, {"lessThanOrEqual": "6.15.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-425", "description": "CWE-425 Direct Request (Forced Browsing)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-19T14:07:38", "orgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "shortName": "HYPR"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.hypr.com/security-advisories/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@hypr.com", "ID": "CVE-2022-2192", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HYPR Server", "version": {"version_data": [{"version_affected": ">", "version_value": "6.10"}, {"version_affected": "<=", "version_value": "6.15.1"}]}}]}, "vendor_name": "HYPR"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-425 Direct Request (Forced Browsing)"}]}]}, "references": {"reference_data": [{"name": "https://www.hypr.com/security-advisories/", "refsource": "MISC", "url": "https://www.hypr.com/security-advisories/"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:08.717Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.hypr.com/security-advisories/"}]}]}, "cveMetadata": {"assignerOrgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "assignerShortName": "HYPR", "cveId": "CVE-2022-2192", "datePublished": "2022-07-19T14:07:38", "dateReserved": "2022-06-23T00:00:00", "dateUpdated": "2024-08-03T00:32:08.717Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hypr:hypr_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "109B33EB-E6C1-4759-8B0B-DC848ABE5177", "versionEndIncluding": "6.15.1", "versionStartIncluding": "6.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de navegaci\u00f3n forzada en HYPR Server versiones 6.10 a 6.15.1, permite a atacantes remotos con un token v\u00e1lido de recuperaci\u00f3n de un solo uso elevar los privilegios por medio de la manipulaci\u00f3n de la ruta en la p\u00e1gina Magic Link. Este problema afecta a: Las versiones de HYPR Server posteriores a 6.10; versiones 6.15.1 y anteriores."}], "id": "CVE-2022-2192", "lastModified": "2022-07-27T07:23:43.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@hypr.com", "type": "Secondary"}]}, "published": "2022-07-19T15:15:08.547", "references": [{"source": "security@hypr.com", "tags": ["Vendor Advisory"], "url": "https://www.hypr.com/security-advisories/"}], "sourceIdentifier": "security@hypr.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-425"}], "source": "security@hypr.com", "type": "Secondary"}]}