CVE-2022-3589 - Vulnerability Details - OpenCVE

An API Endpoint used by Miele's "AppWash" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Miele	Appwash

Configuration 1 [-]

cpe:2.3:a:miele:appwash:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cert.vde.com/de/advisories/VDE-2022-052/

History

No history.

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2022-11-21T09:56:37.348Z

Updated: 2024-08-03T01:14:01.961Z

Reserved: 2022-10-18T13:47:24.107Z

Link: CVE-2022-3589

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-21T10:15:31.437

Modified: 2024-11-21T07:19:49.797

Link: CVE-2022-3589

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3589", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "requesterUserId": "a1e5283b-8f0d-401e-98b2-bc6219c0e8d1", "dateReserved": "2022-10-18T13:47:24.107Z", "datePublished": "2022-11-21T09:56:37.348Z", "dateUpdated": "2024-08-03T01:14:01.961Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "appWash", "vendor": "Miele", "versions": [{"status": "affected", "version": "all (until October 5th 2022)"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Miele would like to thank Bishoy Roufael for responsibly disclousing this vulnerability."}], "datePublic": "2022-11-21T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An API Endpoint used by Miele's \"AppWash\" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability."}], "value": "An API Endpoint used by Miele's \"AppWash\" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability."}], "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2022-11-21T09:56:37.348Z"}, "references": [{"url": "https://cert.vde.com/de/advisories/VDE-2022-052/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The cloud service used by appWash was fixed on 05.10.2022.<br>"}], "value": "The cloud service used by appWash was fixed on 05.10.2022.\n"}], "source": {"advisory": "VDE-2022-052", "defect": ["CERT@VDE#64255"], "discovery": "UNKNOWN"}, "title": "Miele: Vulnerability in cloud service used by appWash", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:14:01.961Z"}, "title": "CVE Program Container", "references": [{"url": "https://cert.vde.com/de/advisories/VDE-2022-052/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:miele:appwash:*:*:*:*:*:*:*:*", "matchCriteriaId": "4930719D-B21E-4B07-ABBD-E50C4232FE10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An API Endpoint used by Miele's \"AppWash\" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability."}, {"lang": "es", "value": "Un API Endpoint utilizado por la aplicaci\u00f3n m\u00f3vil \"AppWash\" de Miele en todas las versiones era vulnerable a una omisi\u00f3n de autorizaci\u00f3n. Un atacante remoto con pocos privilegios habr\u00eda podido obtener acceso de lectura y escritura parcial a los datos de otros usuarios modificando una peque\u00f1a parte de una solicitud HTTP enviada a la API. No fue posible leer o cambiar la contrase\u00f1a de otro usuario, por lo que no hubo impacto en la Disponibilidad."}], "id": "CVE-2022-3589", "lastModified": "2024-11-21T07:19:49.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "info@cert.vde.com", "type": "Secondary"}]}, "published": "2022-11-21T10:15:31.437", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/de/advisories/VDE-2022-052/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/de/advisories/VDE-2022-052/"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "info@cert.vde.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}