CVE-2022-42446 - OpenCVE

Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hcltech	Sametime

Configuration 1 [-]

OR	cpe:2.3:a:hcltech:sametime:12.0:-::::::
	cpe:2.3:a:hcltech:sametime:12.0:fp1::::::

No data.

References

Link	Providers
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101768

History

No history.

MITRE

Status: PUBLISHED

Assigner: HCL

Published: 2022-11-30T22:54:26.060Z

Updated: 2024-08-03T13:10:40.881Z

Reserved: 2022-10-06T16:01:51.741Z

Link: CVE-2022-42446

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-12T13:15:14.797

Modified: 2023-11-07T03:53:19.593

Link: CVE-2022-42446

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-42446", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "requesterUserId": "520cc88b-a1c8-44f6-9154-21a4d74c769f", "dateReserved": "2022-10-06T16:01:51.741Z", "datePublished": "2022-11-30T22:54:26.060Z", "dateUpdated": "2024-08-03T13:10:40.881Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HCL Sametime", "vendor": "HCL Software", "versions": [{"status": "affected", "version": "12.0, 12.0FP1"}]}], "datePublic": "2022-11-30T17:22:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users.</span><br>"}], "value": "Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2022-12-12T12:11:04.548862Z"}, "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101768"}], "source": {"discovery": "UNKNOWN"}, "title": "HCL Sametime 12.0 and 12.0FP1 anonymous users have directory lookup access", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:10:40.881Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101768", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:sametime:12.0:-:*:*:*:*:*:*", "matchCriteriaId": "66902941-C293-45D5-8759-1531DFE16409", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:sametime:12.0:fp1:*:*:*:*:*:*", "matchCriteriaId": "90E316D2-1E1E-4BEA-855A-D0A6BD2E3584", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users.\n"}, {"lang": "es", "value": "A partir de Sametime 12, los usuarios an\u00f3nimos est\u00e1n habilitados de forma predeterminada. Despu\u00e9s de iniciar sesi\u00f3n como usuario an\u00f3nimo, uno tiene la posibilidad de explorar el directorio de usuarios y potencialmente crear chats con usuarios internos."}], "id": "CVE-2022-42446", "lastModified": "2023-11-07T03:53:19.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2022-12-12T13:15:14.797", "references": [{"source": "psirt@hcl.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101768"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}