CVE-2022-2921 - OpenCVE

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Notrinos	Notrinoserp

Configuration 1 [-]

cpe:2.3:a:notrinos:notrinoserp:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45
https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-08-21T03:15:20

Updated: 2024-08-03T00:52:59.889Z

Reserved: 2022-08-21T00:00:00

Link: CVE-2022-2921

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-21T04:15:10.703

Modified: 2022-08-23T16:09:32.733

Link: CVE-2022-2921

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "notrinos/notrinoserp", "vendor": "notrinos", "versions": [{"lessThan": "0.7", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-359", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-21T05:40:08", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45"}], "source": {"advisory": "51b32a1c-946b-4390-a212-b6c4b6e4115c", "discovery": "EXTERNAL"}, "title": "Exposure of Private Personal Information to an Unauthorized Actor in notrinos/notrinoserp", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-2921", "STATE": "PUBLIC", "TITLE": "Exposure of Private Personal Information to an Unauthorized Actor in notrinos/notrinoserp"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "notrinos/notrinoserp", "version": {"version_data": [{"version_affected": "<", "version_value": "0.7"}]}}]}, "vendor_name": "notrinos"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c"}, {"name": "https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45", "refsource": "MISC", "url": "https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45"}]}, "source": {"advisory": "51b32a1c-946b-4390-a212-b6c4b6e4115c", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:52:59.889Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-2921", "datePublished": "2022-08-21T03:15:20", "dateReserved": "2022-08-21T00:00:00", "dateUpdated": "2024-08-03T00:52:59.889Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:notrinos:notrinoserp:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DA2C016-D055-4DB8-AE79-4E8247EAD917", "versionEndExcluding": "0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions."}, {"lang": "es", "value": "Una Exposici\u00f3n de Informaci\u00f3n Personal Privada a un Actor no Autorizado en el repositorio GitHub notrinos/notrinoserp versiones anteriores a v0.7. Esto resulta en una escalada de privilegios a una cuenta de administrador del sistema. Un atacante puede conseguir acceso a funcionalidades protegidas como crear/actualizar empresas, instalar/actualizar idiomas, instalar/activar extensiones, instalar/activar temas y otras acciones permisivas."}], "id": "CVE-2022-2921", "lastModified": "2022-08-23T16:09:32.733", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-21T04:15:10.703", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-359"}], "source": "security@huntr.dev", "type": "Primary"}]}