CVE-2022-24875 - OpenCVE

The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cve	Cve-services

Configuration 1 [-]

cpe:2.3:a:cve:cve-services:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4
https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-04-21T17:20:10

Updated: 2024-08-03T04:29:01.160Z

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24875

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-21T18:15:08.767

Modified: 2022-05-03T16:18:13.263

Link: CVE-2022-24875

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "cve-services", "vendor": "CVEProject", "versions": [{"status": "affected", "version": "<= 1.1.1"}]}], "descriptions": [{"lang": "en", "value": "The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-21T17:20:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"}], "source": {"advisory": "GHSA-rhj9-qx37-7m2m", "discovery": "UNKNOWN"}, "title": "Potential Secrets being logged to disk in CVEProject/cve-services", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24875", "STATE": "PUBLIC", "TITLE": "Potential Secrets being logged to disk in CVEProject/cve-services"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cve-services", "version": {"version_data": [{"version_value": "<= 1.1.1"}]}}]}, "vendor_name": "CVEProject"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532: Insertion of Sensitive Information into Log File"}]}]}, "references": {"reference_data": [{"name": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m", "refsource": "CONFIRM", "url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"}, {"name": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4", "refsource": "MISC", "url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"}]}, "source": {"advisory": "GHSA-rhj9-qx37-7m2m", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:29:01.160Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24875", "datePublished": "2022-04-21T17:20:10", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:29:01.160Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cve:cve-services:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8561D10-82C9-42AA-8DA7-335EB2E36246", "versionEndIncluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate."}, {"lang": "es", "value": "CVEProject/cve-services es un proyecto de c\u00f3digo abierto usado para operar la api de servicios CVE. En versiones hasta 1.1.1 incluy\u00e9ndola, el c\u00f3digo \"org.conroller.js\" registraba err\u00f3neamente los secretos del usuario. Esto ha sido resuelto en el commit \"46d98f2b\" y deber\u00eda estar disponible en versiones posteriores del software. Es recomendado a usuarios del software que apliquen manualmente el commit \"46d98f2b\" o que actualicen cuando est\u00e9 disponible una nueva versi\u00f3n. Como mitigaci\u00f3n, los usuarios deben inspeccionar sus registros y eliminar los secretos registrados seg\u00fan corresponda"}], "id": "CVE-2022-24875", "lastModified": "2022-05-03T16:18:13.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-04-21T18:15:08.767", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Secondary"}]}