CVE-2022-34155 - Vulnerability Details - OpenCVE

Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through 6.23.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00253.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Miniorange	Oauth Single Sign On

Configuration 1 [-]

cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:*:wordpress:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-37170	Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through 6.23.3.

Fixes

Solution

Update to 6.23.4 or a higher version.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve
https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve

History

Wed, 25 Sep 2024 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2023-07-18T13:41:59.369Z

Updated: 2024-09-25T16:32:41.889Z

Reserved: 2022-06-30T08:55:45.281Z

Link: CVE-2022-34155

Vulnrichment

Updated: 2024-08-03T08:16:17.114Z

NVD

Status : Modified

Published: 2023-07-18T14:15:12.093

Modified: 2024-11-21T07:08:57.930

Link: CVE-2022-34155

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-34155", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2022-06-30T08:55:45.281Z", "datePublished": "2023-07-18T13:41:59.369Z", "dateUpdated": "2024-09-25T16:32:41.889Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "miniorange-login-with-eve-online-google-facebook", "product": "OAuth Single Sign On \u2013 SSO (OAuth Client)", "vendor": "miniOrange", "versions": [{"changes": [{"at": "6.23.4", "status": "unaffected"}], "lessThanOrEqual": "6.23.3", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Lana Codes (Patchstack Alliance)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Authentication vulnerability in miniOrange OAuth Single Sign On \u2013 SSO (OAuth Client) plugin allows Authentication Bypass.<p>This issue affects OAuth Single Sign On \u2013 SSO (OAuth Client): from n/a through 6.23.3.</p>"}], "value": "Improper Authentication vulnerability in miniOrange OAuth Single Sign On \u2013 SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On \u2013 SSO (OAuth Client): from n/a through 6.23.3.\n\n"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2023-07-18T13:41:59.369Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve"}, {"tags": ["third-party-advisory", "technical-description"], "url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 6.23.4 or a higher version."}], "value": "Update to\u00a06.23.4 or a higher version."}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress OAuth Single Sign On \u2013 SSO (OAuth Client) Plugin <= 6.23.3 is vulnerable to Broken Authentication", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T08:16:17.114Z"}, "title": "CVE Program Container", "references": [{"tags": ["vdb-entry", "x_transferred"], "url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve"}, {"tags": ["third-party-advisory", "technical-description", "x_transferred"], "url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-25T16:32:31.654159Z", "id": "CVE-2022-34155", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T16:32:41.889Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve", "tags": ["vdb-entry", "x_transferred"]}, {"url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve", "tags": ["third-party-advisory", "technical-description", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T08:16:17.114Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-34155", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-25T16:32:31.654159Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T16:32:35.937Z"}}], "cna": {"title": "WordPress OAuth Single Sign On \u2013 SSO (OAuth Client) Plugin <= 6.23.3 is vulnerable to Broken Authentication", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Lana Codes (Patchstack Alliance)"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "miniOrange", "product": "OAuth Single Sign On \u2013 SSO (OAuth Client)", "versions": [{"status": "affected", "changes": [{"at": "6.23.4", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "6.23.3"}], "packageName": "miniorange-login-with-eve-online-google-facebook", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to\u00a06.23.4 or a higher version.", "supportingMedia": [{"type": "text/html", "value": "Update to 6.23.4 or a higher version.", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}, {"url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve", "tags": ["third-party-advisory", "technical-description"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Authentication vulnerability in miniOrange OAuth Single Sign On \u2013 SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On \u2013 SSO (OAuth Client): from n/a through 6.23.3.\n\n", "supportingMedia": [{"type": "text/html", "value": "Improper Authentication vulnerability in miniOrange OAuth Single Sign On \u2013 SSO (OAuth Client) plugin allows Authentication Bypass.<p>This issue affects OAuth Single Sign On \u2013 SSO (OAuth Client): from n/a through 6.23.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2023-07-18T13:41:59.369Z"}}}, "cveMetadata": {"cveId": "CVE-2022-34155", "state": "PUBLISHED", "dateUpdated": "2024-09-25T16:32:41.889Z", "dateReserved": "2022-06-30T08:55:45.281Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2023-07-18T13:41:59.369Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:miniorange:oauth_single_sign_on:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "BCE04A76-6CF7-4B4E-9DBA-799BBC21955F", "versionEndExcluding": "6.23.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper Authentication vulnerability in miniOrange OAuth Single Sign On \u2013 SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On \u2013 SSO (OAuth Client): from n/a through 6.23.3.\n\n"}], "id": "CVE-2022-34155", "lastModified": "2024-11-21T07:08:57.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-18T14:15:12.093", "references": [{"source": "audit@patchstack.com", "tags": ["Exploit"], "url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve"}, {"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://lana.codes/lanavdb/071fa6eb-2e54-43a1-b37f-1e562988b7d4?_s_id=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/miniorange-login-with-eve-online-google-facebook/wordpress-oauth-single-sign-on-sso-oauth-client-plugin-6-23-3-broken-authentication-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "audit@patchstack.com", "type": "Secondary"}]}