CVE-2022-36782 - Vulnerability Details - OpenCVE

Pal Electronics Systems - Pal Gate Authorization Errors. The vulnerability is an authorization problem in PalGate device management android client app. Gates of bulidings and parking lots with a simple button in any smartphone. The API was found after a decompiling and static research using Jadx, and a dynamic analasys using Frida. The attacker can iterate over all the IOT devices to see every entry and exit, on every gate and device all over the world, he can also scrape the server and create a user's DB with full names and phone number of over 2.8 million users, and to see all of the users' movement in and out of gates, even in real time.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0007.

Key SSVC decision points have not yet been added.

Vendors	Products
Pal-es	Palgate

Configuration 1 [-]

cpe:2.3:a:pal-es:palgate:-:*:*:*:*:android:*:*

No data.

No data.

Fixes

Solution

Update to the latest version

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.gov.il/en/Departments/faq/cve_advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCD

Published: 2022-09-13T14:58:04.852468Z

Updated: 2024-09-16T18:54:37.400Z

Reserved: 2022-07-26T00:00:00

Link: CVE-2022-36782

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-13T15:15:08.723

Modified: 2024-11-21T07:13:43.600

Link: CVE-2022-36782

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Pal Gate", "vendor": "Pal Electronics Systems", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "Update to the latest version", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Tal Saadi"}], "datePublic": "2022-09-11T00:00:00", "descriptions": [{"lang": "en", "value": "Pal Electronics Systems - Pal Gate Authorization Errors. The vulnerability is an authorization problem in PalGate device management android client app. Gates of bulidings and parking lots with a simple button in any smartphone. The API was found after a decompiling and static research using Jadx, and a dynamic analasys using Frida. The attacker can iterate over all the IOT devices to see every entry and exit, on every gate and device all over the world, he can also scrape the server and create a user's DB with full names and phone number of over 2.8 million users, and to see all of the users' movement in and out of gates, even in real time."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Authorization Errors", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-13T14:58:04", "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "shortName": "INCD"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "solutions": [{"lang": "en", "value": "Update to the latest version"}], "source": {"defect": ["ILVN-2022-0053"], "discovery": "EXTERNAL"}, "title": "Pal Electronics Systems - Pal Gate Authorization Errors", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cyber.gov.il", "DATE_PUBLIC": "2022-09-11T05:45:00.000Z", "ID": "CVE-2022-36782", "STATE": "PUBLIC", "TITLE": "Pal Electronics Systems - Pal Gate Authorization Errors"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pal Gate", "version": {"version_data": [{"version_affected": ">=", "version_value": "Update to the latest version"}]}}]}, "vendor_name": "Pal Electronics Systems"}]}}, "credit": [{"lang": "eng", "value": "Tal Saadi"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Pal Electronics Systems - Pal Gate Authorization Errors. The vulnerability is an authorization problem in PalGate device management android client app. Gates of bulidings and parking lots with a simple button in any smartphone. The API was found after a decompiling and static research using Jadx, and a dynamic analasys using Frida. The attacker can iterate over all the IOT devices to see every entry and exit, on every gate and device all over the world, he can also scrape the server and create a user's DB with full names and phone number of over 2.8 million users, and to see all of the users' movement in and out of gates, even in real time."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Authorization Errors"}]}]}, "references": {"reference_data": [{"name": "https://www.gov.il/en/Departments/faq/cve_advisories", "refsource": "MISC", "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}]}, "solution": [{"lang": "en", "value": "Update to the latest version"}], "source": {"defect": ["ILVN-2022-0053"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:14:28.471Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}]}]}, "cveMetadata": {"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "assignerShortName": "INCD", "cveId": "CVE-2022-36782", "datePublished": "2022-09-13T14:58:04.852468Z", "dateReserved": "2022-07-26T00:00:00", "dateUpdated": "2024-09-16T18:54:37.400Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pal-es:palgate:-:*:*:*:*:android:*:*", "matchCriteriaId": "26FE09C7-FD16-4FFB-913D-2E28D0EBD0B4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Pal Electronics Systems - Pal Gate Authorization Errors. The vulnerability is an authorization problem in PalGate device management android client app. Gates of bulidings and parking lots with a simple button in any smartphone. The API was found after a decompiling and static research using Jadx, and a dynamic analasys using Frida. The attacker can iterate over all the IOT devices to see every entry and exit, on every gate and device all over the world, he can also scrape the server and create a user's DB with full names and phone number of over 2.8 million users, and to see all of the users' movement in and out of gates, even in real time."}, {"lang": "es", "value": "Pal Electronics Systems - Pal Gate. Errores de Autorizaci\u00f3n. La vulnerabilidad es un problema de autorizaci\u00f3n en la aplicaci\u00f3n cliente androide de administraci\u00f3n de dispositivos PalGate. Puertas de edificios y aparcamientos con un simple bot\u00f3n en cualquier smartphone. La API fue encontrada despu\u00e9s de una des compilaci\u00f3n e investigaci\u00f3n est\u00e1tica usando Jadx, y un an\u00e1lisis din\u00e1mico usando Frida. El atacante puede iterar sobre todos los dispositivos IOT para visualizar cada entrada y salida, en cada puerta y dispositivo en todo el mundo, tambi\u00e9n puede raspar el servidor y crear una base de datos de usuarios con nombres completos y n\u00famero de tel\u00e9fono de m\u00e1s de 2.8 millones de usuarios, y visualizar todo el movimiento de usuarios dentro y fuera de las puertas, incluso en tiempo real"}], "id": "CVE-2022-36782", "lastModified": "2024-11-21T07:13:43.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "cna@cyber.gov.il", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-13T15:15:08.723", "references": [{"source": "cna@cyber.gov.il", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "sourceIdentifier": "cna@cyber.gov.il", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}