CVE-2022-31066 - OpenCVE

Vendors	Products
Edgexfoundry	Edgex Foundry

Link	Providers
https://github.com/edgexfoundry/device-sdk-go/pull/1161
https://github.com/edgexfoundry/edgex-go/pull/4016
https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q

{"containers": {"cna": {"affected": [{"product": "edgex-go", "vendor": "edgexfoundry", "versions": [{"status": "affected", "version": "< 2.1.1"}]}], "descriptions": [{"lang": "en", "value": "EdgeX Foundry is an open source project for building a common open framework for Internet of Things edge computing. Prior to version 2.1.1, the /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message bus credentials when running in security-enabled mode. (No credentials are required when running in security-disabled mode.) As a result, attackers could intercept data or inject fake data into the EdgeX message bus. Users should upgrade to EdgeXFoundry Kamakura release (2.2.0) or to the June 2022 EdgeXFoundry LTS Jakarta release (2.1.1) to receive a patch. More information about which go modules, docker containers, and snaps contain patches is available in the GitHub Security Advisory. There are currently no known workarounds for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-14T21:55:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/edgexfoundry/device-sdk-go/pull/1161"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/edgexfoundry/edgex-go/pull/4016"}], "source": {"advisory": "GHSA-g63h-q855-vp3q", "discovery": "UNKNOWN"}, "title": "Configuration API in EdgeXFoundry exposes message bus credentials to local unauthenticated users", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31066", "STATE": "PUBLIC", "TITLE": "Configuration API in EdgeXFoundry exposes message bus credentials to local unauthenticated users"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "edgex-go", "version": {"version_data": [{"version_value": "< 2.1.1"}]}}]}, "vendor_name": "edgexfoundry"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "EdgeX Foundry is an open source project for building a common open framework for Internet of Things edge computing. Prior to version 2.1.1, the /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message bus credentials when running in security-enabled mode. (No credentials are required when running in security-disabled mode.) As a result, attackers could intercept data or inject fake data into the EdgeX message bus. Users should upgrade to EdgeXFoundry Kamakura release (2.2.0) or to the June 2022 EdgeXFoundry LTS Jakarta release (2.1.1) to receive a patch. More information about which go modules, docker containers, and snaps contain patches is available in the GitHub Security Advisory. There are currently no known workarounds for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q", "refsource": "CONFIRM", "url": "https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q"}, {"name": "https://github.com/edgexfoundry/device-sdk-go/pull/1161", "refsource": "MISC", "url": "https://github.com/edgexfoundry/device-sdk-go/pull/1161"}, {"name": "https://github.com/edgexfoundry/edgex-go/pull/4016", "refsource": "MISC", "url": "https://github.com/edgexfoundry/edgex-go/pull/4016"}]}, "source": {"advisory": "GHSA-g63h-q855-vp3q", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.303Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/edgexfoundry/device-sdk-go/pull/1161"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/edgexfoundry/edgex-go/pull/4016"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31066", "datePublished": "2022-06-14T21:55:11", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:03:40.303Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:edgexfoundry:edgex_foundry:*:*:*:*:*:*:*:*", "matchCriteriaId": "8858893D-F6A0-4475-950A-C7FFF0C14F45", "versionEndExcluding": "2.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EdgeX Foundry is an open source project for building a common open framework for Internet of Things edge computing. Prior to version 2.1.1, the /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message bus credentials when running in security-enabled mode. (No credentials are required when running in security-disabled mode.) As a result, attackers could intercept data or inject fake data into the EdgeX message bus. Users should upgrade to EdgeXFoundry Kamakura release (2.2.0) or to the June 2022 EdgeXFoundry LTS Jakarta release (2.1.1) to receive a patch. More information about which go modules, docker containers, and snaps contain patches is available in the GitHub Security Advisory. There are currently no known workarounds for this issue."}, {"lang": "es", "value": "EdgeX Foundry es un proyecto de c\u00f3digo abierto para construir un marco com\u00fan abierto para la computaci\u00f3n de borde de la Internet de las Cosas. En versiones anteriores a 2.1.1, el endpoint /api/v2/config expone las credenciales del bus de mensajes a usuarios locales no autenticados. En el modo de seguridad habilitado, las credenciales del bus de mensajes se supone que son mantenidas en el almac\u00e9n secreto de EdgeX y requieren autenticaci\u00f3n para acceder. Esta vulnerabilidad omite los controles de acceso a las credenciales del bus de mensajes cuando es ejecutada en modo de seguridad habilitado. (No son requaridas credenciales cuando es ejecutado en modo de seguridad deshabilitada.) Como resultado, los atacantes podr\u00edan interceptar datos o inyectar datos falsos en el bus de mensajes de EdgeX. Los usuarios deben actualizar a EdgeXFoundry Kamakura versi\u00f3n (2.2.0) o a EdgeXFoundry LTS Jakarta versi\u00f3n de junio de 2022 (2.1.1) para recibir el parche. M\u00e1s informaci\u00f3n sobre qu\u00e9 m\u00f3dulos go, contenedores docker y snaps contienen parches est\u00e1 disponible en el aviso de seguridad de GitHub. Actualmente no se presentan mitigaciones conocidas para este problema"}], "id": "CVE-2022-31066", "lastModified": "2022-06-23T20:57:10.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-06-14T22:15:10.380", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/edgexfoundry/device-sdk-go/pull/1161"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/edgexfoundry/edgex-go/pull/4016"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object