CVE-2022-24860 - OpenCVE

Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Databasir Project	Databasir

Configuration 1 [-]

cpe:2.3:a:databasir_project:databasir:1.0.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/vran-dev/databasir/blob/master/core/src/main/java/com/databasir/core/infrastructure/jwt/JwtTokens.java
https://github.com/vran-dev/databasir/security/advisories/GHSA-9prp-5jc9-jpgg
https://user-images.githubusercontent.com/75008428/163742517-ecc1c787-1ef6-4df9-bdf2-407b2b31e111.png
https://user-images.githubusercontent.com/75008428/163742566-a69c91e8-db20-4058-8967-1cfe86facc6d.png
https://user-images.githubusercontent.com/75008428/163742596-5c13153a-be8f-4ce3-9681-bc68b5f7e9c5.png

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-04-19T23:25:27

Updated: 2024-08-03T04:20:50.623Z

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24860

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-20T00:16:51.177

Modified: 2022-04-29T23:44:18.850

Link: CVE-2022-24860

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "databasir", "vendor": "vran-dev", "versions": [{"status": "affected", "version": " > 1.0.1"}]}], "descriptions": [{"lang": "en", "value": "Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321: Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:25:27", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vran-dev/databasir/security/advisories/GHSA-9prp-5jc9-jpgg"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vran-dev/databasir/blob/master/core/src/main/java/com/databasir/core/infrastructure/jwt/JwtTokens.java"}, {"tags": ["x_refsource_MISC"], "url": "https://user-images.githubusercontent.com/75008428/163742517-ecc1c787-1ef6-4df9-bdf2-407b2b31e111.png"}, {"tags": ["x_refsource_MISC"], "url": "https://user-images.githubusercontent.com/75008428/163742566-a69c91e8-db20-4058-8967-1cfe86facc6d.png"}, {"tags": ["x_refsource_MISC"], "url": "https://user-images.githubusercontent.com/75008428/163742596-5c13153a-be8f-4ce3-9681-bc68b5f7e9c5.png"}], "source": {"advisory": "GHSA-9prp-5jc9-jpgg", "discovery": "UNKNOWN"}, "title": "Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability.", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24860", "STATE": "PUBLIC", "TITLE": "Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "databasir", "version": {"version_data": [{"version_value": " > 1.0.1"}]}}]}, "vendor_name": "vran-dev"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-321: Use of Hard-coded Cryptographic Key"}]}]}, "references": {"reference_data": [{"name": "https://github.com/vran-dev/databasir/security/advisories/GHSA-9prp-5jc9-jpgg", "refsource": "CONFIRM", "url": "https://github.com/vran-dev/databasir/security/advisories/GHSA-9prp-5jc9-jpgg"}, {"name": "https://github.com/vran-dev/databasir/blob/master/core/src/main/java/com/databasir/core/infrastructure/jwt/JwtTokens.java", "refsource": "MISC", "url": "https://github.com/vran-dev/databasir/blob/master/core/src/main/java/com/databasir/core/infrastructure/jwt/JwtTokens.java"}, {"name": "https://user-images.githubusercontent.com/75008428/163742517-ecc1c787-1ef6-4df9-bdf2-407b2b31e111.png", "refsource": "MISC", "url": "https://user-images.githubusercontent.com/75008428/163742517-ecc1c787-1ef6-4df9-bdf2-407b2b31e111.png"}, {"name": "https://user-images.githubusercontent.com/75008428/163742566-a69c91e8-db20-4058-8967-1cfe86facc6d.png", "refsource": "MISC", "url": "https://user-images.githubusercontent.com/75008428/163742566-a69c91e8-db20-4058-8967-1cfe86facc6d.png"}, {"name": "https://user-images.githubusercontent.com/75008428/163742596-5c13153a-be8f-4ce3-9681-bc68b5f7e9c5.png", "refsource": "MISC", "url": "https://user-images.githubusercontent.com/75008428/163742596-5c13153a-be8f-4ce3-9681-bc68b5f7e9c5.png"}]}, "source": {"advisory": "GHSA-9prp-5jc9-jpgg", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:50.623Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vran-dev/databasir/security/advisories/GHSA-9prp-5jc9-jpgg"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vran-dev/databasir/blob/master/core/src/main/java/com/databasir/core/infrastructure/jwt/JwtTokens.java"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://user-images.githubusercontent.com/75008428/163742517-ecc1c787-1ef6-4df9-bdf2-407b2b31e111.png"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://user-images.githubusercontent.com/75008428/163742566-a69c91e8-db20-4058-8967-1cfe86facc6d.png"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://user-images.githubusercontent.com/75008428/163742596-5c13153a-be8f-4ce3-9681-bc68b5f7e9c5.png"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24860", "datePublished": "2022-04-19T23:25:27", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:50.623Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:databasir_project:databasir:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "07E7ACF2-8A46-4D85-AD1C-536851B2EDDC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses."}, {"lang": "es", "value": "Databasir es una plataforma de administraci\u00f3n de documentos con modelo de base de datos relacional orientada a equipos. Databasir versi\u00f3n 1.01, presenta una vulnerabilidad de Uso de Clave Criptogr\u00e1fica Embebida. Un atacante puede usar la codificaci\u00f3n dura para generar credenciales de inicio de sesi\u00f3n de cualquier usuario e iniciar sesi\u00f3n en el fondo del servicio ubicado en diferentes direcciones IP"}], "id": "CVE-2022-24860", "lastModified": "2022-04-29T23:44:18.850", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-04-20T00:16:51.177", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/vran-dev/databasir/blob/master/core/src/main/java/com/databasir/core/infrastructure/jwt/JwtTokens.java"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/vran-dev/databasir/security/advisories/GHSA-9prp-5jc9-jpgg"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://user-images.githubusercontent.com/75008428/163742517-ecc1c787-1ef6-4df9-bdf2-407b2b31e111.png"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://user-images.githubusercontent.com/75008428/163742566-a69c91e8-db20-4058-8967-1cfe86facc6d.png"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://user-images.githubusercontent.com/75008428/163742596-5c13153a-be8f-4ce3-9681-bc68b5f7e9c5.png"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}