CVE-2022-40895 - OpenCVE

In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulnerability is due to insecure design, where a difference in forgot password utility could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. This affects NeDi 1.0.7 for OS X 1.0.7 <= and NeDi for Suse 1.0.7 <= and NeDi for FreeBSD 1.0.7 <=.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nedi	Nedi

Configuration 1 [-]

OR	cpe:2.3:a:nedi:nedi::::::freebsd::*
	cpe:2.3:a:nedi:nedi::::::suse::*
	cpe:2.3:a:nedi:nedi:1.0.7:::::mac_os_x::

No data.

References

Link	Providers
http://forum.nedi.ch/index.php
https://gist.github.com/UditChavda/2f2effa477a429b485ae7e2dc3bbd04f
https://www.nedi.ch/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-06T00:00:00

Updated: 2024-08-03T12:28:42.915Z

Reserved: 2022-09-19T00:00:00

Link: CVE-2022-40895

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-10-06T18:16:54.463

Modified: 2022-10-07T20:11:10.490

Link: CVE-2022-40895

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nedi:nedi:*:*:*:*:*:freebsd:*:*", "matchCriteriaId": "AA1883E8-E61D-4BB2-850F-BAEBFAEE383B", "versionEndIncluding": "1.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:nedi:nedi:*:*:*:*:*:suse:*:*", "matchCriteriaId": "A8B42059-901F-4E6C-9D67-3428C3839309", "versionEndIncluding": "1.0.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:nedi:nedi:1.0.7:*:*:*:*:mac_os_x:*:*", "matchCriteriaId": "428CE0C6-133B-4052-9136-8C076686A224", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulnerability is due to insecure design, where a difference in forgot password utility could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. This affects NeDi 1.0.7 for OS X 1.0.7 <= and NeDi for Suse 1.0.7 <= and NeDi for FreeBSD 1.0.7 <=."}, {"lang": "es", "value": "En determinados productos Nedi, una vulnerabilidad en la Interfaz de Usuario Web de NeDi login & Community login podr\u00eda permitir a un atacante remoto no autenticado afectar a la integridad de un dispositivo por medio de una vulnerabilidad de Enumeraci\u00f3n de usuarios. La vulnerabilidad es debido a un dise\u00f1o no seguro, donde una diferencia en la utilidad de olvido de contrase\u00f1a podr\u00eda permitir a un atacante determinar si el usuario es v\u00e1lido o no, permitiendo un ataque de fuerza bruta con usuarios v\u00e1lidos. Esto afecta a NeDi versiones 1.0.7 para OS X versiones anteriores a 1.0.7 incluy\u00e9ndola, y NeDi para Suse versiones anteriores a 1.0.7 incluy\u00e9ndola, y NeDi para FreeBSD versiones anteriores a 1.0.7 incluy\u00e9ndola"}], "id": "CVE-2022-40895", "lastModified": "2022-10-07T20:11:10.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-06T18:16:54.463", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://forum.nedi.ch/index.php"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/UditChavda/2f2effa477a429b485ae7e2dc3bbd04f"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.nedi.ch/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}