CVE-2022-3589 - Vulnerability Details - OpenCVE

An API Endpoint used by Miele's "AppWash" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Miele	Appwash

Configuration 1 [-]

cpe:2.3:a:miele:appwash:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

The cloud service used by appWash was fixed on 05.10.2022.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://cert.vde.com/de/advisories/VDE-2022-052/

History

Fri, 25 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2022-11-21T09:56:37.348Z

Updated: 2025-04-25T19:29:31.066Z

Reserved: 2022-10-18T13:47:24.107Z

Link: CVE-2022-3589

Vulnrichment

Updated: 2024-08-03T01:14:01.961Z

NVD

Status : Modified

Published: 2022-11-21T10:15:31.437

Modified: 2024-11-21T07:19:49.797

Link: CVE-2022-3589

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3589", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "requesterUserId": "a1e5283b-8f0d-401e-98b2-bc6219c0e8d1", "dateReserved": "2022-10-18T13:47:24.107Z", "datePublished": "2022-11-21T09:56:37.348Z", "dateUpdated": "2025-04-25T19:29:31.066Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "appWash", "vendor": "Miele", "versions": [{"status": "affected", "version": "all (until October 5th 2022)"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Miele would like to thank Bishoy Roufael for responsibly disclousing this vulnerability."}], "datePublic": "2022-11-21T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An API Endpoint used by Miele's \"AppWash\" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability."}], "value": "An API Endpoint used by Miele's \"AppWash\" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability."}], "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2022-11-21T09:56:37.348Z"}, "references": [{"url": "https://cert.vde.com/de/advisories/VDE-2022-052/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The cloud service used by appWash was fixed on 05.10.2022.<br>"}], "value": "The cloud service used by appWash was fixed on 05.10.2022.\n"}], "source": {"advisory": "VDE-2022-052", "defect": ["CERT@VDE#64255"], "discovery": "UNKNOWN"}, "title": "Miele: Vulnerability in cloud service used by appWash", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:14:01.961Z"}, "title": "CVE Program Container", "references": [{"url": "https://cert.vde.com/de/advisories/VDE-2022-052/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T19:29:19.155772Z", "id": "CVE-2022-3589", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T19:29:31.066Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cert.vde.com/de/advisories/VDE-2022-052/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:14:01.961Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-3589", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-25T19:29:19.155772Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T19:29:24.127Z"}}], "cna": {"title": "Miele: Vulnerability in cloud service used by appWash", "source": {"defect": ["CERT@VDE#64255"], "advisory": "VDE-2022-052", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Miele would like to thank Bishoy Roufael for responsibly disclousing this vulnerability."}], "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Miele", "product": "appWash", "versions": [{"status": "affected", "version": "all (until October 5th 2022)"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The cloud service used by appWash was fixed on 05.10.2022.\n", "supportingMedia": [{"type": "text/html", "value": "The cloud service used by appWash was fixed on 05.10.2022.<br>", "base64": false}]}], "datePublic": "2022-11-21T09:00:00.000Z", "references": [{"url": "https://cert.vde.com/de/advisories/VDE-2022-052/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An API Endpoint used by Miele's \"AppWash\" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.", "supportingMedia": [{"type": "text/html", "value": "An API Endpoint used by Miele's \"AppWash\" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2022-11-21T09:56:37.348Z"}}}, "cveMetadata": {"cveId": "CVE-2022-3589", "state": "PUBLISHED", "dateUpdated": "2025-04-25T19:29:31.066Z", "dateReserved": "2022-10-18T13:47:24.107Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2022-11-21T09:56:37.348Z", "requesterUserId": "a1e5283b-8f0d-401e-98b2-bc6219c0e8d1", "assignerShortName": "CERTVDE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:miele:appwash:*:*:*:*:*:*:*:*", "matchCriteriaId": "4930719D-B21E-4B07-ABBD-E50C4232FE10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An API Endpoint used by Miele's \"AppWash\" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability."}, {"lang": "es", "value": "Un API Endpoint utilizado por la aplicaci\u00f3n m\u00f3vil \"AppWash\" de Miele en todas las versiones era vulnerable a una omisi\u00f3n de autorizaci\u00f3n. Un atacante remoto con pocos privilegios habr\u00eda podido obtener acceso de lectura y escritura parcial a los datos de otros usuarios modificando una peque\u00f1a parte de una solicitud HTTP enviada a la API. No fue posible leer o cambiar la contrase\u00f1a de otro usuario, por lo que no hubo impacto en la Disponibilidad."}], "id": "CVE-2022-3589", "lastModified": "2024-11-21T07:19:49.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "info@cert.vde.com", "type": "Secondary"}]}, "published": "2022-11-21T10:15:31.437", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/de/advisories/VDE-2022-052/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/de/advisories/VDE-2022-052/"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "info@cert.vde.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}