cvelistv5 - cve-2022-39299

URL	Tags
security-advisories@github.com	http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html	Third Party Advisory, VDB Entry
security-advisories@github.com	https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7	Third Party Advisory

▼	Vendor	Product
	node-saml	passport-saml

gsd-2022-39299

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.

Aliases

CVE-2022-39299

Aliases

CVE-2022-39299

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-39299",
    "description": "Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.",
    "id": "GSD-2022-39299"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-39299"
      ],
      "details": "Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.",
      "id": "GSD-2022-39299",
      "modified": "2023-12-13T01:19:20.647775Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-39299",
        "STATE": "PUBLIC",
        "TITLE": "Signature bypass via multiple root elements in Passport-SAML"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "passport-saml",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 3.2.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "node-saml"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-347: Improper Verification of Cryptographic Signature"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7",
            "refsource": "CONFIRM",
            "url": "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7"
          },
          {
            "name": "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e",
            "refsource": "MISC",
            "url": "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e"
          },
          {
            "name": "http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-m974-647v-whv7",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c4.0.0-beta.5",
          "affected_versions": "All versions before 4.0.0-beta.5",
          "cwe_ids": [
            "CWE-1035",
            "CWE-347",
            "CWE-937"
          ],
          "date": "2022-10-13",
          "description": "Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.",
          "fixed_versions": [
            "4.0.0-beta.5"
          ],
          "identifier": "CVE-2022-39299",
          "identifiers": [
            "GHSA-m974-647v-whv7",
            "CVE-2022-39299"
          ],
          "not_impacted": "All versions starting from 4.0.0-beta.5",
          "package_slug": "npm/@node-saml/node-saml",
          "pubdate": "2022-10-12",
          "solution": "Upgrade to version 4.0.0-beta.5 or above. *Note*: 4.0.0-beta.5 may be an unstable version. Use caution.",
          "title": "Improper Verification of Cryptographic Signature",
          "urls": [
            "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7",
            "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e",
            "https://github.com/node-saml/passport-saml/releases/tag/v3.2.2",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39299",
            "https://github.com/advisories/GHSA-m974-647v-whv7"
          ],
          "uuid": "dce5d9be-18de-4a12-93ce-9caede5cad03"
        },
        {
          "affected_range": "\u003c4.0.0-beta.3",
          "affected_versions": "All versions before 4.0.0-beta.3",
          "cwe_ids": [
            "CWE-1035",
            "CWE-347",
            "CWE-937"
          ],
          "date": "2022-10-13",
          "description": "Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.",
          "fixed_versions": [
            "4.0.0-beta.3"
          ],
          "identifier": "CVE-2022-39299",
          "identifiers": [
            "GHSA-m974-647v-whv7",
            "CVE-2022-39299"
          ],
          "not_impacted": "All versions starting from 4.0.0-beta.3",
          "package_slug": "npm/@node-saml/passport-saml",
          "pubdate": "2022-10-12",
          "solution": "Upgrade to version 4.0.0-beta.3 or above. *Note*: 4.0.0-beta.3 may be an unstable version. Use caution.",
          "title": "Improper Verification of Cryptographic Signature",
          "urls": [
            "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7",
            "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e",
            "https://github.com/node-saml/passport-saml/releases/tag/v3.2.2",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39299",
            "https://github.com/advisories/GHSA-m974-647v-whv7"
          ],
          "uuid": "3f191e12-d3c6-4f0c-b57f-80e96c50cd21"
        },
        {
          "affected_range": "\u003c4.0.0-beta.5",
          "affected_versions": "All versions before 4.0.0-beta.5",
          "cwe_ids": [
            "CWE-1035",
            "CWE-347",
            "CWE-937"
          ],
          "date": "2022-10-13",
          "description": "Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.",
          "fixed_versions": [
            "4.0.0-beta.5"
          ],
          "identifier": "CVE-2022-39299",
          "identifiers": [
            "GHSA-m974-647v-whv7",
            "CVE-2022-39299"
          ],
          "not_impacted": "All versions starting from 4.0.0-beta.5",
          "package_slug": "npm/node-saml",
          "pubdate": "2022-10-12",
          "solution": "Upgrade to version 4.0.0-beta.5 or above. *Note*: 4.0.0-beta.5 may be an unstable version. Use caution.",
          "title": "Improper Verification of Cryptographic Signature",
          "urls": [
            "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7",
            "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e",
            "https://github.com/node-saml/passport-saml/releases/tag/v3.2.2",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39299",
            "https://github.com/advisories/GHSA-m974-647v-whv7"
          ],
          "uuid": "ee3ccfc3-e6c3-4aa4-b648-1d0b12da5ce1"
        },
        {
          "affected_range": "\u003c3.2.2||=4.0.0",
          "affected_versions": "All versions before 3.2.2, version 4.0.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-347",
            "CWE-937"
          ],
          "date": "2023-01-20",
          "description": "Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround.",
          "fixed_versions": [
            "3.2.2"
          ],
          "identifier": "CVE-2022-39299",
          "identifiers": [
            "CVE-2022-39299",
            "GHSA-m974-647v-whv7"
          ],
          "not_impacted": "All versions starting from 3.2.2 before 4.0.0, all versions after 4.0.0",
          "package_slug": "npm/passport-saml",
          "pubdate": "2022-10-12",
          "solution": "Upgrade to version 3.2.2 or above.",
          "title": "Improper Verification of Cryptographic Signature",
          "urls": [
            "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7",
            "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e",
            "https://github.com/node-saml/passport-saml/releases/tag/v3.2.2",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39299",
            "https://github.com/advisories/GHSA-m974-647v-whv7"
          ],
          "uuid": "a7de65bb-4081-4f6f-ba50-063dfe65a474"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:passport-saml_project:passport-saml:4.0.0:beta2:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:passport-saml_project:passport-saml:4.0.0:beta3:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:passport-saml_project:passport-saml:4.0.0:beta4:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:passport-saml_project:passport-saml:4.0.0:beta1:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:passport-saml_project:passport-saml:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.2.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-39299"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to passport-saml version 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before version 4.0.0-beta.5. If you cannot upgrade, disabling SAML authentication may be done as a workaround."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-347"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7"
            },
            {
              "name": "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e"
            },
            {
              "name": "http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-01-20T14:24Z",
      "publishedDate": "2022-10-12T21:15Z"
    }
  }
}

ghsa-m974-647v-whv7

Vulnerability from github

Published

2022-10-12 22:05

Modified

2022-10-18 03:11

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Signature bypass via multiple root elements

Details

Impact

A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.

Patches

Users should upgrade to passport-saml 3.2.2 or newer. The issue was also present in the beta releases of node-saml before v4.0.0-beta.5.

Workarounds

Disable SAML authentication.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory: * Open a discussion in the node-saml repo

Credits

Felix Wilhelm of Google Project Zero

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "passport-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0-beta.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@node-saml/node-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0-beta.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@node-saml/passport-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0-beta.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39299"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-12T22:05:41Z",
    "nvd_published_at": "2022-10-12T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.\n\n### Patches\n\nUsers should upgrade to passport-saml 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before v4.0.0-beta.5.\n\n### Workarounds\n\nDisable SAML authentication.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion in the [node-saml repo](https://github.com/node-saml/node-saml/discussions)\n\n### Credits\n\n* Felix Wilhelm of Google Project Zero\n",
  "id": "GHSA-m974-647v-whv7",
  "modified": "2022-10-18T03:11:22Z",
  "published": "2022-10-12T22:05:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39299"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/node-saml/passport-saml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/passport-saml/releases/tag/v3.2.2"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Signature bypass via multiple root elements"
}

wid-sec-w-2022-2368

Vulnerability from csaf_certbund

Published

2022-12-19 23:00

Modified

2023-01-09 23:00

Summary

HCL BigFix: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

BigFix ist eine Lösung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.

Angriff

Ein Angreifer kann mehrere Schwachstellen in HCL BigFix ausnutzen, um die Verfügbarkeit, die Vertraulichkeit und die Integrität zu gefährden.

Betroffene Betriebssysteme

- UNIX - Linux - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "BigFix ist eine L\u00f6sung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in HCL BigFix ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-2368 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2368.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-2368 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2368"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 6853623 vom 2023-01-09",
        "url": "https://www.ibm.com/support/pages/node/6853623"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin KB0102049 vom 2022-12-17",
        "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0102049"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin vom 2022-12-19",
        "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0102168"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin vom 2022-12-19",
        "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0102140"
      }
    ],
    "source_lang": "en-US",
    "title": "HCL BigFix: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-01-09T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:07:21.053+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2022-2368",
      "initial_release_date": "2022-12-19T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-12-19T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-12-28T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von HCL aufgenommen"
        },
        {
          "date": "2023-01-09T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "HCL BigFix",
                "product": {
                  "name": "HCL BigFix",
                  "product_id": "T017494",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:-"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "HCL BigFix \u003c 10.0.8\u00a0",
                "product": {
                  "name": "HCL BigFix \u003c 10.0.8\u00a0",
                  "product_id": "T025721",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:10.0.8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "HCL BigFix \u003c 9.5.21",
                "product": {
                  "name": "HCL BigFix \u003c 9.5.21",
                  "product_id": "T025722",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:9.5.21"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "BigFix"
          }
        ],
        "category": "vendor",
        "name": "HCL"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM License Metric Tool",
            "product": {
              "name": "IBM License Metric Tool",
              "product_id": "T016581",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:license_metric_tool:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-44756",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-44756"
    },
    {
      "cve": "CVE-2022-42454",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-42454"
    },
    {
      "cve": "CVE-2022-42448",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-42448"
    },
    {
      "cve": "CVE-2022-39299",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-39299"
    },
    {
      "cve": "CVE-2022-38655",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-38655"
    },
    {
      "cve": "CVE-2022-37616",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-37616"
    },
    {
      "cve": "CVE-2022-33987",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-33987"
    },
    {
      "cve": "CVE-2022-31160",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-31160"
    },
    {
      "cve": "CVE-2022-31129",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-31129"
    },
    {
      "cve": "CVE-2022-25896",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-25896"
    },
    {
      "cve": "CVE-2022-25887",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2022-25887"
    },
    {
      "cve": "CVE-2021-41184",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2021-41184"
    },
    {
      "cve": "CVE-2021-41183",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2021-41183"
    },
    {
      "cve": "CVE-2021-41182",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2021-41182"
    },
    {
      "cve": "CVE-2021-32014",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2021-32014"
    },
    {
      "cve": "CVE-2021-32013",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2021-32013"
    },
    {
      "cve": "CVE-2021-32012",
      "notes": [
        {
          "category": "description",
          "text": "In HCL BigFix existieren mehrere Schwachstellen. Diese sind sowohl im Quellcode als auch in Open-Source-Komponenten zu finden. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Verf\u00fcgbarkeit, die Vertraulichkeit und die Integrit\u00e4t zu gef\u00e4hrden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T016581",
          "T025722",
          "T025721",
          "T017494"
        ]
      },
      "release_date": "2022-12-19T23:00:00Z",
      "title": "CVE-2021-32012"
    }
  ]
}

Action not permitted

cve-2022-39299

Vulnerability from cvelistv5

gsd-2022-39299

Vulnerability from gsd

ghsa-m974-647v-whv7

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

Credits

wid-sec-w-2022-2368

Vulnerability from csaf_certbund

Tags