CVE-2022-39033 - OpenCVE

Smart eVision’s file acquisition function has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication, access restricted paths to download and delete arbitrary system files to disrupt service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lcnet	Smart Evision

Configuration 1 [-]

cpe:2.3:a:lcnet:smart_evision:2022.02.21:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-6570-9c632-1.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2022-09-28T03:25:38.574465Z

Updated: 2024-09-16T22:57:04.490Z

Reserved: 2022-08-30T00:00:00

Link: CVE-2022-39033

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-28T04:15:14.883

Modified: 2022-09-28T23:44:30.997

Link: CVE-2022-39033

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Smart eVision", "vendor": "Smart eVision Information Technology Inc.", "versions": [{"status": "affected", "version": "2022.02.21"}]}], "datePublic": "2022-09-28T00:00:00", "descriptions": [{"lang": "en", "value": "Smart eVision\u2019s file acquisition function has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication, access restricted paths to download and delete arbitrary system files to disrupt service."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-28T03:25:38", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-6570-9c632-1.html"}], "solutions": [{"lang": "en", "value": "Contact tech support from Smart eVision Information Technology Inc."}], "source": {"advisory": "TVN-202209006", "discovery": "EXTERNAL"}, "title": "Smart eVision - Path Traversal -1", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2022-09-28T03:00:00.000Z", "ID": "CVE-2022-39033", "STATE": "PUBLIC", "TITLE": "Smart eVision - Path Traversal -1"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Smart eVision", "version": {"version_data": [{"version_affected": "=", "version_value": "2022.02.21"}]}}]}, "vendor_name": "Smart eVision Information Technology Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Smart eVision\u2019s file acquisition function has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication, access restricted paths to download and delete arbitrary system files to disrupt service."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-6570-9c632-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-6570-9c632-1.html"}]}, "solution": [{"lang": "en", "value": "Contact tech support from Smart eVision Information Technology Inc."}], "source": {"advisory": "TVN-202209006", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T11:10:32.292Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-6570-9c632-1.html"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2022-39033", "datePublished": "2022-09-28T03:25:38.574465Z", "dateReserved": "2022-08-30T00:00:00", "dateUpdated": "2024-09-16T22:57:04.490Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}