CVE-2022-24689 - Vulnerability Details - OpenCVE

An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00192.

Key SSVC decision points have not yet been added.

Vendors	Products
Dsk Subscribe	Dsknet Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:dsk:dsknet:2.16.136.0:::::::*
	cpe:2.3:a:dsk:dsknet:2.17.136.5:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-29556	An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://dsk.lu/fr/produits/temps-de-presence
https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-07-18T12:34:24

Updated: 2024-08-03T04:20:50.187Z

Reserved: 2022-02-09T00:00:00

Link: CVE-2022-24689

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-07-18T13:15:09.760

Modified: 2024-11-21T06:50:53.037

Link: CVE-2022-24689

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-307

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-18T12:34:24", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://dsk.lu/fr/produits/temps-de-presence"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-24689", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://dsk.lu/fr/produits/temps-de-presence", "refsource": "MISC", "url": "https://dsk.lu/fr/produits/temps-de-presence"}, {"name": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf", "refsource": "MISC", "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:50.187Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://dsk.lu/fr/produits/temps-de-presence"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-24689", "datePublished": "2022-07-18T12:34:24", "dateReserved": "2022-02-09T00:00:00", "dateUpdated": "2024-08-03T04:20:50.187Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dsk:dsknet:2.16.136.0:*:*:*:*:*:*:*", "matchCriteriaId": "49B0E313-BCD6-47A4-9968-A49FD8E78A34", "vulnerable": true}, {"criteria": "cpe:2.3:a:dsk:dsknet:2.17.136.5:*:*:*:*:*:*:*", "matchCriteriaId": "B31B0D02-2879-422F-8100-2594CA5E82F5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts."}, {"lang": "es", "value": "Se ha detectado un problema en DSK DSKNet versiones 2.16.136.0 y 2.17.136.5. El control de acceso es manejado inapropiadamente. Esto permite que un atacante remoto acceda a las p\u00e1ginas de informaci\u00f3n de la cuenta (incluidos los datos personales) sin ser autenticado. La informaci\u00f3n recopilada incluye los n\u00fameros de identificaci\u00f3n que funcionan como nombres de inicio de sesi\u00f3n de usuarios. Presentan un c\u00f3digo PIN. El c\u00f3digo PINpresenta4 d\u00edgitos y, por lo tanto, puede ser adivinado en 10000 intentos de fuerza bruta"}], "id": "CVE-2022-24689", "lastModified": "2024-11-21T06:50:53.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-18T13:15:09.760", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://dsk.lu/fr/produits/temps-de-presence"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://dsk.lu/fr/produits/temps-de-presence"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}]}