CVE-2022-23183 - OpenCVE

Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Advancedcustomfields	Advanced Custom Fields

Configuration 1 [-]

OR	cpe:2.3:a:advancedcustomfields:advanced_custom_fields:::::-:wordpress::
	cpe:2.3:a:advancedcustomfields:advanced_custom_fields:::::pro:wordpress::

No data.

References

Link	Providers
https://jvn.jp/en/jp/JVN42543427/index.html
https://wordpress.org/plugins/advanced-custom-fields/
https://www.advancedcustomfields.com/

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2022-03-31T07:20:54

Updated: 2024-08-03T03:36:20.034Z

Reserved: 2022-02-18T00:00:00

Link: CVE-2022-23183

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-31T08:15:08.257

Modified: 2022-04-07T20:02:20.227

Link: CVE-2022-23183

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Advanced Custom Fields", "vendor": "Delicious Brains", "versions": [{"status": "affected", "version": "Advanced Custom Fields versions prior to 5.12.1, and Advanced Custom Fields Pro versions prior to 5.12.1"}]}], "descriptions": [{"lang": "en", "value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission."}], "problemTypes": [{"descriptions": [{"description": "Missing authorization", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-31T07:20:54", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.advancedcustomfields.com/"}, {"tags": ["x_refsource_MISC"], "url": "https://wordpress.org/plugins/advanced-custom-fields/"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN42543427/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2022-23183", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Advanced Custom Fields", "version": {"version_data": [{"version_value": "Advanced Custom Fields versions prior to 5.12.1, and Advanced Custom Fields Pro versions prior to 5.12.1"}]}}]}, "vendor_name": "Delicious Brains"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Missing authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.advancedcustomfields.com/", "refsource": "MISC", "url": "https://www.advancedcustomfields.com/"}, {"name": "https://wordpress.org/plugins/advanced-custom-fields/", "refsource": "MISC", "url": "https://wordpress.org/plugins/advanced-custom-fields/"}, {"name": "https://jvn.jp/en/jp/JVN42543427/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN42543427/index.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:36:20.034Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.advancedcustomfields.com/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wordpress.org/plugins/advanced-custom-fields/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jvn.jp/en/jp/JVN42543427/index.html"}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2022-23183", "datePublished": "2022-03-31T07:20:54", "dateReserved": "2022-02-18T00:00:00", "dateUpdated": "2024-08-03T03:36:20.034Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:-:wordpress:*:*", "matchCriteriaId": "3DDE767C-FF73-4C33-BED6-F8FDB093DE52", "versionEndExcluding": "5.12.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:pro:wordpress:*:*", "matchCriteriaId": "23698E76-F1B5-4CAB-BF70-711627DE557F", "versionEndExcluding": "5.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission."}, {"lang": "es", "value": "Una vulnerabilidad de falta de autorizaci\u00f3n en Advanced Custom Fields versiones anteriores a 5.12.1 y en Advanced Custom Fields Pro versiones anteriores a 5.12.1, permite a un atacante remoto autenticado visualizar la informaci\u00f3n de la base de datos sin el permiso de acceso"}], "id": "CVE-2022-23183", "lastModified": "2022-04-07T20:02:20.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-31T08:15:08.257", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN42543427/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product", "Third Party Advisory"], "url": "https://wordpress.org/plugins/advanced-custom-fields/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product", "Vendor Advisory"], "url": "https://www.advancedcustomfields.com/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}