CVE-2022-40622 - Vulnerability Details - OpenCVE

The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00191.

Key SSVC decision points have not yet been added.

Vendors	Products
Wavlink	Wn531g3 Wn531g3 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:wavlink:wn531g3_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wavlink:wn531g3:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-43896	The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://youtu.be/cSileV8YbsQ?t=655

History

No history.

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2022-09-13T20:35:12.848865Z

Updated: 2024-09-16T16:54:00.789Z

Reserved: 2022-09-12T00:00:00

Link: CVE-2022-40622

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-13T21:15:10.197

Modified: 2024-11-21T07:21:43.800

Link: CVE-2022-40622

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "WN531G3", "vendor": "WAVLINK", "versions": [{"lessThanOrEqual": "M31G3.V5030.200325", "status": "affected", "version": "M31G3.V5030.200325", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Corey Hartman"}], "datePublic": "2022-08-02T00:00:00", "descriptions": [{"lang": "en", "value": "The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-304", "description": "CWE-304 Missing Critical Step in Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-13T20:35:12", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://youtu.be/cSileV8YbsQ?t=655"}], "source": {"discovery": "EXTERNAL"}, "title": "WAVLINK Quantum D4G (WN531G3) Session Management by IP Address", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2022-08-02T14:00:00.000Z", "ID": "CVE-2022-40622", "STATE": "PUBLIC", "TITLE": "WAVLINK Quantum D4G (WN531G3) Session Management by IP Address"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WN531G3", "version": {"version_data": [{"platform": "", "version_affected": "<=", "version_name": "M31G3.V5030.200325", "version_value": "M31G3.V5030.200325"}]}}]}, "vendor_name": "WAVLINK"}]}}, "credit": [{"lang": "eng", "value": "Corey Hartman"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-304 Missing Critical Step in Authentication"}]}]}, "references": {"reference_data": [{"name": "https://youtu.be/cSileV8YbsQ?t=655", "refsource": "MISC", "url": "https://youtu.be/cSileV8YbsQ?t=655"}]}, "source": {"advisory": "", "defect": [], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:21:46.371Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://youtu.be/cSileV8YbsQ?t=655"}]}]}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2022-40622", "datePublished": "2022-09-13T20:35:12.848865Z", "dateReserved": "2022-09-12T00:00:00", "dateUpdated": "2024-09-16T16:54:00.789Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:wavlink:wn531g3_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8E4F42B-0D2E-4D51-A8C7-37C5D95ECB2C", "versionEndIncluding": "m31g3.v5030.200325", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:wavlink:wn531g3:-:*:*:*:*:*:*:*", "matchCriteriaId": "3AE2AAA4-71D2-4B70-81FB-836F1A419DBC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible."}, {"lang": "es", "value": "El WAVLINK Quantum D4G (WN531G3) ejecutando la versi\u00f3n de firmware M31G3.V5030.200325, usa direcciones IP para mantener las sesiones y no usa tokens de sesi\u00f3n. Por lo tanto, si un atacante cambia su direcci\u00f3n IP para que coincida con la del administrador que ha iniciado la sesi\u00f3n, o est\u00e1 detr\u00e1s del mismo NAT que el administrador que ha iniciado la sesi\u00f3n, es posible una toma de control de sesi\u00f3n"}], "id": "CVE-2022-40622", "lastModified": "2024-11-21T07:21:43.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-13T21:15:10.197", "references": [{"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://youtu.be/cSileV8YbsQ?t=655"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://youtu.be/cSileV8YbsQ?t=655"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-304"}], "source": "cve@rapid7.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}