OpenCVE

Use of Insufficiently Random Values in Honeywell OneWireless. This vulnerability may allow attacker to manipulate claims in client's JWT token. This issue affects OneWireless version 322.1

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Honeywell	Onewireless Network Wireless Device Manager Onewireless Network Wireless Device Manager Firmware

Configuration 1 [-]

AND

cpe:2.3:o:honeywell:onewireless_network_wireless_device_manager_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:onewireless_network_wireless_device_manager:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://process.honeywell.com/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Honeywell

Published: 2023-05-30T16:19:24.146Z

Updated: 2024-08-03T13:32:58.741Z

Reserved: 2022-11-30T20:26:18.642Z

Link: CVE-2022-43485

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-05-30T17:15:09.573

Modified: 2024-11-21T07:26:34.957

Link: CVE-2022-43485

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-43485", "assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d", "state": "PUBLISHED", "assignerShortName": "Honeywell", "dateReserved": "2022-11-30T20:26:18.642Z", "datePublished": "2023-05-30T16:19:24.146Z", "dateUpdated": "2024-08-03T13:32:58.741Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OneWireless", "vendor": "Honeywell", "versions": [{"status": "affected", "version": "322.1"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Use of Insufficiently Random Values in Honeywell OneWireless. This vulnerability may allow attacker to manipulate claims in client's JWT token. </span><span style=\"background-color: var(--wht);\">This issue affects OneWireless version 322.1</span>"}], "value": "\nUse of Insufficiently Random Values in Honeywell OneWireless. This vulnerability\u00a0may allow attacker to manipulate claims in client's JWT token.\u00a0This issue affects OneWireless version 322.1"}], "impacts": [{"capecId": "CAPEC-39", "descriptions": [{"lang": "en", "value": "CAPEC-39 Manipulating Opaque Client-based Data Tokens"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "description": "CWE-330: Use of Insufficiently Random Values", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d", "shortName": "Honeywell", "dateUpdated": "2023-05-30T16:19:24.146Z"}, "references": [{"url": "https://process.honeywell.com/"}], "source": {"discovery": "UNKNOWN"}, "title": "Insecure random number used for generating keys for signing Jwt tokens", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:58.741Z"}, "title": "CVE Program Container", "references": [{"url": "https://process.honeywell.com/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:honeywell:onewireless_network_wireless_device_manager_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "189C7318-C0AC-41A9-99AB-AB2BCB75E90B", "versionEndExcluding": "r322.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:honeywell:onewireless_network_wireless_device_manager:-:*:*:*:*:*:*:*", "matchCriteriaId": "987B6E5F-C1B6-4764-A3B1-4AC7734B6D1D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\nUse of Insufficiently Random Values in Honeywell OneWireless. This vulnerability\u00a0may allow attacker to manipulate claims in client's JWT token.\u00a0This issue affects OneWireless version 322.1"}], "id": "CVE-2022-43485", "lastModified": "2024-11-21T07:26:34.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 4.0, "source": "psirt@honeywell.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-30T17:15:09.573", "references": [{"source": "psirt@honeywell.com", "tags": ["Product"], "url": "https://process.honeywell.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://process.honeywell.com/"}], "sourceIdentifier": "psirt@honeywell.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "psirt@honeywell.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-330"}], "source": "nvd@nist.gov", "type": "Primary"}]}