CVE-2022-37145 - Vulnerability Details - OpenCVE

The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Plextrac	Plextrac

Configuration 1 [-]

cpe:2.3:a:plextrac:plextrac:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://plextrac.com
https://www.controlgap.com/blog/a-plextrac-story

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-08T00:28:04

Updated: 2024-08-03T10:21:33.223Z

Reserved: 2022-08-01T00:00:00

Link: CVE-2022-37145

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-08T01:15:07.450

Modified: 2024-11-21T07:14:31.020

Link: CVE-2022-37145

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-08T00:28:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://plextrac.com"}, {"tags": ["x_refsource_MISC"], "url": "https://www.controlgap.com/blog/a-plextrac-story"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-37145", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://plextrac.com", "refsource": "MISC", "url": "http://plextrac.com"}, {"name": "https://www.controlgap.com/blog/a-plextrac-story", "refsource": "MISC", "url": "https://www.controlgap.com/blog/a-plextrac-story"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:21:33.223Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://plextrac.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.controlgap.com/blog/a-plextrac-story"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-37145", "datePublished": "2022-09-08T00:28:04", "dateReserved": "2022-08-01T00:00:00", "dateUpdated": "2024-08-03T10:21:33.223Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plextrac:plextrac:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6DC413C-DC04-4DE8-B407-F14BB7974FC9", "versionEndExcluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider."}, {"lang": "es", "value": "La plataforma PlexTrac versiones anteriores a 1.17.0 no restringe los intentos de autenticaci\u00f3n excesivos para las cuentas configuradas para usar el proveedor de autenticaci\u00f3n PlexTrac. Un atacante remoto no autenticado podr\u00eda llevar a cabo un ataque de fuerza bruta en la p\u00e1gina de inicio de sesi\u00f3n sin l\u00edmite de tiempo o de intento en un intento de obtener credenciales v\u00e1lidas para usuarios de la plataforma configurados para usar el proveedor de autenticaci\u00f3n PlexTrac"}], "id": "CVE-2022-37145", "lastModified": "2024-11-21T07:14:31.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-08T01:15:07.450", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://plextrac.com"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://www.controlgap.com/blog/a-plextrac-story"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "http://plextrac.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://www.controlgap.com/blog/a-plextrac-story"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}]}