CVE-2022-30622 - OpenCVE

Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Chcnav	P5e Gnss P5e Gnss Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:chcnav:p5e_gnss_firmware::::::::
	cpe:2.3:o:chcnav:p5e_gnss_firmware:4.2:::::::*

cpe:2.3:h:chcnav:p5e_gnss:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.gov.il/en/Departments/faq/cve_advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCD

Published: 2022-07-17T20:11:56.873595Z

Updated: 2024-09-17T02:53:15.209Z

Reserved: 2022-05-12T00:00:00

Link: CVE-2022-30622

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-17T21:15:08.803

Modified: 2022-07-28T13:37:01.893

Link: CVE-2022-30622

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Chcnav - P5E GNSS", "vendor": "Chcnav", "versions": [{"lessThan": "4.1*", "status": "affected", "version": "4.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "MetaData"}], "datePublic": "2022-07-13T00:00:00", "descriptions": [{"lang": "en", "value": "Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Information disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-17T20:11:56", "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "shortName": "INCD"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "source": {"defect": ["ILVN-2022-0032"], "discovery": "EXTERNAL"}, "title": "Chcnav - P5E GNSS Information disclosure", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cyber.gov.il", "DATE_PUBLIC": "2022-07-13T11:59:00.000Z", "ID": "CVE-2022-30622", "STATE": "PUBLIC", "TITLE": "Chcnav - P5E GNSS Information disclosure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Chcnav - P5E GNSS", "version": {"version_data": [{"version_affected": ">=", "version_name": "4.1", "version_value": "4.2"}]}}]}, "vendor_name": "Chcnav"}]}}, "credit": [{"lang": "eng", "value": "MetaData"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information disclosure"}]}]}, "references": {"reference_data": [{"name": "https://www.gov.il/en/Departments/faq/cve_advisories", "refsource": "MISC", "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}]}, "source": {"defect": ["ILVN-2022-0032"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:56:13.182Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}]}]}, "cveMetadata": {"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "assignerShortName": "INCD", "cveId": "CVE-2022-30622", "datePublished": "2022-07-17T20:11:56.873595Z", "dateReserved": "2022-05-12T00:00:00", "dateUpdated": "2024-09-17T02:53:15.209Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:chcnav:p5e_gnss_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D517250C-921A-494E-9B38-6154732AA2E5", "versionEndIncluding": "4.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:chcnav:p5e_gnss_firmware:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "B26293DB-77D5-4417-B72C-6EEDFE6151D5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:chcnav:p5e_gnss:-:*:*:*:*:*:*:*", "matchCriteriaId": "56783F0F-85AA-4B6F-BC24-3F7659A86567", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword."}, {"lang": "es", "value": "Una revelaci\u00f3n de informaci\u00f3n: el sistema permite visualizar los nombres de usuario y las contrase\u00f1as sin permisos, por lo que ser\u00e1 posible entrar en el sistema. Acceso a la ruta: http://api/sys_username_passwd.cmd - El servidor carga la petici\u00f3n de forma clara por defecto. La divulgaci\u00f3n de la informaci\u00f3n de cr\u00e9dito embebida en el c\u00f3digo JS que es enviado al cliente dentro del archivo Login.js es un usuario fuerte (que no est\u00e1 documentado) y tambi\u00e9n la contrase\u00f1a, que permiten el acceso de super usuario. Nombre de usuario: chcadmin, Contrase\u00f1a: chcpassword"}], "id": "CVE-2022-30622", "lastModified": "2022-07-28T13:37:01.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cna@cyber.gov.il", "type": "Secondary"}]}, "published": "2022-07-17T21:15:08.803", "references": [{"source": "cna@cyber.gov.il", "tags": ["Third Party Advisory"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "sourceIdentifier": "cna@cyber.gov.il", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}