CVE-2022-24721 - OpenCVE

CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cometd	Cometd

Configuration 1 [-]

OR	cpe:2.3:a:cometd:cometd::::::::
	cpe:2.3:a:cometd:cometd::::::::
	cpe:2.3:a:cometd:cometd::::::::

No data.

References

Link	Providers
https://github.com/cometd/cometd/issues/1146
https://github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv
https://nvd.nist.gov/vuln/detail/CVE-2022-24721
https://www.cve.org/CVERecord?id=CVE-2022-24721

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-03-15T13:45:13

Updated: 2024-08-03T04:20:49.811Z

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24721

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-15T14:15:08.247

Modified: 2022-03-25T13:06:49.207

Link: CVE-2022-24721

Redhat

Severity : Moderate

Publid Date: 2022-03-15T00:00:00Z

Links: CVE-2022-24721 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "cometd", "vendor": "cometd", "versions": [{"status": "affected", "version": "< 5.0.11"}, {"status": "affected", "version": ">= 6.0.0, < 6.0.6"}, {"status": "affected", "version": ">= 7.0.0, < 7.0.6"}]}], "descriptions": [{"lang": "en", "value": "CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-15T13:45:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/cometd/cometd/issues/1146"}], "source": {"advisory": "GHSA-rjmq-6v55-4rjv", "discovery": "UNKNOWN"}, "title": "Incorrect Authorization in org.cometd.oort", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24721", "STATE": "PUBLIC", "TITLE": "Incorrect Authorization in org.cometd.oort"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cometd", "version": {"version_data": [{"version_value": "< 5.0.11"}, {"version_value": ">= 6.0.0, < 6.0.6"}, {"version_value": ">= 7.0.0, < 7.0.6"}]}}]}, "vendor_name": "cometd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv", "refsource": "CONFIRM", "url": "https://github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv"}, {"name": "https://github.com/cometd/cometd/issues/1146", "refsource": "MISC", "url": "https://github.com/cometd/cometd/issues/1146"}]}, "source": {"advisory": "GHSA-rjmq-6v55-4rjv", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.811Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cometd/cometd/issues/1146"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24721", "datePublished": "2022-03-15T13:45:13", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:49.811Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cometd:cometd:*:*:*:*:*:*:*:*", "matchCriteriaId": "C396054E-E663-49EF-8212-2D3BFACDCA0A", "versionEndExcluding": "5.0.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:cometd:cometd:*:*:*:*:*:*:*:*", "matchCriteriaId": "431F0B99-7272-48BE-B046-65AEDF8AE02A", "versionEndExcluding": "6.0.6", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cometd:cometd:*:*:*:*:*:*:*:*", "matchCriteriaId": "9864C8A4-84FC-4341-955F-508FDD7F876A", "versionEndExcluding": "7.0.6", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels."}, {"lang": "es", "value": "CometD es una implementaci\u00f3n escalable de comet para la mensajer\u00eda web. En cualquier versi\u00f3n anterior a 5.0.11, 6.0.6 y 7.0.6, el uso interno de los canales Oort y Seti est\u00e1 indebidamente autorizado, por lo que cualquier usuario remoto podr\u00eda suscribirse y publicar en esos canales. Al suscribirse a esos canales, un usuario remoto podr\u00eda visualizar el tr\u00e1fico interno del cl\u00faster que contiene datos de otros usuarios (posiblemente confidenciales). Al publicar en esos canales, un usuario remoto podr\u00eda crear/modificar/borrar los datos de otros usuarios y modificar la estructura del cl\u00faster. Se presenta una correcci\u00f3n disponible en versiones 5.0.11, 6.0.6 y 7.0.6. Como medida de mitigaci\u00f3n, instale una \"SecurityPolicy\" personalizada que proh\u00edba la suscripci\u00f3n y publicaci\u00f3n a sesiones remotas, no Oort, en los canales Oort y Seti"}], "id": "CVE-2022-24721", "lastModified": "2022-03-25T13:06:49.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-03-15T14:15:08.247", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/cometd/cometd/issues/1146"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "cometd: Improper Authorization in org.cometd.oort", "id": "2064616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064616"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-863->CWE-1220", "details": ["CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels.", "A flaw was found in CometD\u2019s Oort package. This flaw allows an attacker to monitor unauthorized channels when connected remotely."], "name": "CVE-2022-24721", "package_state": [{"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "cometd", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "cometd", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "cometd", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "cometd", "product_name": "Red Hat Integration Data Virtualisation Operator"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "cometd", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "cometd", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "cometd", "product_name": "Red Hat JBoss Fuse Service Works 6"}], "public_date": "2022-03-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-24721\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24721\nhttps://github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv"], "statement": "This issue affects the cometd-java-oort package.", "threat_severity": "Moderate", "upstream_fix": "cometd 5.0.11, cometd 6.0.6, cometd 7.0.6"}