CVE-2022-26672 - Vulnerability Details - OpenCVE

Description

ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information.

Published: 2022-04-22

Score: 7.3 High

EPSS: 1.7% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ASUS

WebStorage

affected

Version	Status	Constraints
`unspecified`	affected	≤ 3.10.1

Configuration 1 [-]

cpe:2.3:a:asus:webstorage:*:*:*:*:*:android:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update ASUS WebStorage Android version to 3.10.2

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-31222	ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.01715.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-6041-7bd67-1.html

History

No history.

Subscriptions

Asus Webstorage

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2022-04-22T06:50:16.927Z

Updated: 2024-09-16T19:24:14.105Z

Reserved: 2022-03-08T00:00:00.000Z

Link: CVE-2022-26672

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-04-22T07:15:07.510

Modified: 2024-11-21T06:54:18.180

Link: CVE-2022-26672

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-798

{"containers": {"cna": {"affected": [{"platforms": ["Android"], "product": "WebStorage", "vendor": "ASUS", "versions": [{"lessThanOrEqual": "3.10.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-04-22T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-22T06:50:16.000Z", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-6041-7bd67-1.html"}], "solutions": [{"lang": "en", "value": "Update ASUS WebStorage Android version to 3.10.2"}], "source": {"advisory": "TVN-202203005", "discovery": "EXTERNAL"}, "title": "ASUS WebStorage - Use of Hard-coded Credentials", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2022-04-22T05:48:00.000Z", "ID": "CVE-2022-26672", "STATE": "PUBLIC", "TITLE": "ASUS WebStorage - Use of Hard-coded Credentials"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WebStorage", "version": {"version_data": [{"platform": "Android", "version_affected": "<=", "version_value": "3.10.1"}]}}]}, "vendor_name": "ASUS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798 Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-6041-7bd67-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-6041-7bd67-1.html"}]}, "solution": [{"lang": "en", "value": "Update ASUS WebStorage Android version to 3.10.2"}], "source": {"advisory": "TVN-202203005", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:11:43.431Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-6041-7bd67-1.html"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2022-26672", "datePublished": "2022-04-22T06:50:16.927Z", "dateReserved": "2022-03-08T00:00:00.000Z", "dateUpdated": "2024-09-16T19:24:14.105Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:asus:webstorage:*:*:*:*:*:android:*:*", "matchCriteriaId": "5AE4615B-DC77-4C98-8C4A-1FBF02A2D146", "versionEndExcluding": "3.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information."}, {"lang": "es", "value": "ASUS WebStorage presenta un token de API embebido en el c\u00f3digo fuente de la APP. Un atacante remoto no autenticado puede usar este token para establecer conexiones con el servidor y llevar a cabo intentos de inicio de sesi\u00f3n en cuentas de usuario generales. Un inicio de sesi\u00f3n con \u00e9xito en una cuenta de usuario general permite al atacante acceder, modificar o eliminar la informaci\u00f3n de esta cuenta de usuario"}], "id": "CVE-2022-26672", "lastModified": "2024-11-21T06:54:18.180", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-22T07:15:07.510", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-6041-7bd67-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-6041-7bd67-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "twcert@cert.org.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}