CVE-2022-30683 (GCVE-0-2022-30683)
Vulnerability from cvelistv5 – Published: 2022-09-16 17:45 – Updated: 2025-04-23 17:05
VLAI?
Summary
Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could leverage this vulnerability to decrypt secrets, however, this is a high-complexity attack as the threat actor needs to already possess those secrets. Exploitation of this issue requires low-privilege access to AEM.
Severity ?
5.3 (Medium)
CWE
- CWE-657 - Violation of Secure Design Principles (CWE-657)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Adobe | Experience Manager |
Affected:
unspecified , ≤ 6.5.13.0
(custom)
Affected: unspecified , ≤ None (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:56:13.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-30683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:04:10.308273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:05:47.747Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Experience Manager",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "6.5.13.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "None",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-09-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could leverage this vulnerability to decrypt secrets, however, this is a high-complexity attack as the threat actor needs to already possess those secrets. Exploitation of this issue requires low-privilege access to AEM."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-657",
"description": "Violation of Secure Design Principles (CWE-657)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-16T17:45:20.000Z",
"orgId": "078d4453-3bcd-4900-85e6-15281da43538",
"shortName": "adobe"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "AEM Violation of Secure Design Principles Security feature bypass",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@adobe.com",
"DATE_PUBLIC": "2022-09-13T23:00:00.000Z",
"ID": "CVE-2022-30683",
"STATE": "PUBLIC",
"TITLE": "AEM Violation of Secure Design Principles Security feature bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Experience Manager",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "6.5.13.0"
},
{
"version_affected": "\u003c=",
"version_value": "None"
},
{
"version_affected": "\u003c=",
"version_value": "None"
},
{
"version_affected": "\u003c=",
"version_value": "None"
}
]
}
}
]
},
"vendor_name": "Adobe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could leverage this vulnerability to decrypt secrets, however, this is a high-complexity attack as the threat actor needs to already possess those secrets. Exploitation of this issue requires low-privilege access to AEM."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "High",
"attackVector": "Network",
"availabilityImpact": "None",
"baseScore": 5.3,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Violation of Secure Design Principles (CWE-657)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html",
"refsource": "MISC",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
"assignerShortName": "adobe",
"cveId": "CVE-2022-30683",
"datePublished": "2022-09-16T17:45:20.824Z",
"dateReserved": "2022-05-12T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:05:47.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"6.5.13.0\", \"matchCriteriaId\": \"EE44AFD0-04BC-4754-8834-77C27AEA3CDE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:adobe:experience_manager:-:*:*:*:cloud_service:*:*:*\", \"matchCriteriaId\": \"B3E850FF-78BA-496F-9C3D-C119C64B34F9\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could leverage this vulnerability to decrypt secrets, however, this is a high-complexity attack as the threat actor needs to already possess those secrets. Exploitation of this issue requires low-privilege access to AEM.\"}, {\"lang\": \"es\", \"value\": \"Adobe Experience Manager versiones 6.5.13.0 (y anteriores), est\\u00e1n afectadas por una vulnerabilidad de Violaci\\u00f3n de los Principios de Dise\\u00f1o Seguro que podr\\u00eda conllevar a una omisi\\u00f3n de la funci\\u00f3n de seguridad del mecanismo de cifrado en el backend . Un atacante podr\\u00eda aprovechar esta vulnerabilidad para descifrar secretos, sin embargo, este es un ataque de alta complejidad ya que el actor de la amenaza necesita ya poseer esos secretos. La explotaci\\u00f3n de este problema requiere un acceso de bajo privilegio a AEM\"}]",
"id": "CVE-2022-30683",
"lastModified": "2024-11-21T07:03:09.897",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 3.6}], \"cvssMetricV30\": [{\"source\": \"psirt@adobe.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 3.6}]}",
"published": "2022-09-16T18:15:12.943",
"references": "[{\"url\": \"https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "psirt@adobe.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"psirt@adobe.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-657\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-30683\",\"sourceIdentifier\":\"psirt@adobe.com\",\"published\":\"2022-09-16T18:15:12.943\",\"lastModified\":\"2025-09-19T17:19:39.570\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could leverage this vulnerability to decrypt secrets, however, this is a high-complexity attack as the threat actor needs to already possess those secrets. Exploitation of this issue requires low-privilege access to AEM.\"},{\"lang\":\"es\",\"value\":\"Adobe Experience Manager versiones 6.5.13.0 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de Violaci\u00f3n de los Principios de Dise\u00f1o Seguro que podr\u00eda conllevar a una omisi\u00f3n de la funci\u00f3n de seguridad del mecanismo de cifrado en el backend . Un atacante podr\u00eda aprovechar esta vulnerabilidad para descifrar secretos, sin embargo, este es un ataque de alta complejidad ya que el actor de la amenaza necesita ya poseer esos secretos. La explotaci\u00f3n de este problema requiere un acceso de bajo privilegio a AEM\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-657\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"6.5.13.0\",\"matchCriteriaId\":\"EE44AFD0-04BC-4754-8834-77C27AEA3CDE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:experience_manager:-:*:*:*:aem_cloud_service:*:*:*\",\"matchCriteriaId\":\"A88C919F-4221-4669-A725-06094F811012\"}]}]}],\"references\":[{\"url\":\"https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T06:56:13.516Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-30683\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:04:10.308273Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T13:04:12.313Z\"}}], \"cna\": {\"title\": \"AEM Violation of Secure Design Principles Security feature bypass\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Adobe\", \"product\": \"Experience Manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.5.13.0\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"None\"}]}], \"datePublic\": \"2022-09-13T00:00:00.000Z\", \"references\": [{\"url\": \"https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could leverage this vulnerability to decrypt secrets, however, this is a high-complexity attack as the threat actor needs to already possess those secrets. Exploitation of this issue requires low-privilege access to AEM.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-657\", \"description\": \"Violation of Secure Design Principles (CWE-657)\"}]}], \"providerMetadata\": {\"orgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"shortName\": \"adobe\", \"dateUpdated\": \"2022-09-16T17:45:20.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"Unchanged\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"Network\", \"baseSeverity\": \"Medium\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"None\", \"userInteraction\": \"None\", \"attackComplexity\": \"High\", \"availabilityImpact\": \"None\", \"privilegesRequired\": \"Low\", \"confidentialityImpact\": \"High\"}}, \"source\": {\"discovery\": \"EXTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"6.5.13.0\", \"version_affected\": \"\u003c=\"}, {\"version_value\": \"None\", \"version_affected\": \"\u003c=\"}, {\"version_value\": \"None\", \"version_affected\": \"\u003c=\"}, {\"version_value\": \"None\", \"version_affected\": \"\u003c=\"}]}, \"product_name\": \"Experience Manager\"}]}, \"vendor_name\": \"Adobe\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html\", \"name\": \"https://helpx.adobe.com/security/products/experience-manager/apsb22-40.html\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could leverage this vulnerability to decrypt secrets, however, this is a high-complexity attack as the threat actor needs to already possess those secrets. Exploitation of this issue requires low-privilege access to AEM.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"Violation of Secure Design Principles (CWE-657)\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-30683\", \"STATE\": \"PUBLIC\", \"TITLE\": \"AEM Violation of Secure Design Principles Security feature bypass\", \"ASSIGNER\": \"psirt@adobe.com\", \"DATE_PUBLIC\": \"2022-09-13T23:00:00.000Z\"}}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-30683\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T17:05:47.747Z\", \"dateReserved\": \"2022-05-12T00:00:00.000Z\", \"assignerOrgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"datePublished\": \"2022-09-16T17:45:20.824Z\", \"assignerShortName\": \"adobe\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…