Vulnerability-Lookup

GHSA-MWVC-VGG7-3665

Vulnerability from github – Published: 2022-09-15 00:00 – Updated: 2022-09-15 00:00

Details

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-22520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-14T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.",
  "id": "GHSA-mwvc-vgg7-3665",
  "modified": "2022-09-15T00:00:19Z",
  "published": "2022-09-15T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22520"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2022-011"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2022-039"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2022-22520 (GCVE-0-2022-22520)

Vulnerability from cvelistv5 – Published: 2022-09-14 14:05 – Updated: 2024-09-17 04:14

Title

User enumeration vulnerability in MB connect line and Helmholz products

Summary

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-204 - Response Discrepancy Information Exposure

Assigner

CERTVDE

References

2 references

URL	Tags
https://cert.vde.com/en/advisories/VDE-2022-039	x_refsource_CONFIRM
https://cert.vde.com/en/advisories/VDE-2022-011	x_refsource_CONFIRM

Impacted products

4 products

Vendor	Product	Version
MB connect line	mymbCONNECT24	Affected: 2 , ≤ 2.11.2 (custom)
MB connect line	mbCONNECT24	Affected: 2 , ≤ 2.11.2 (custom)
Helmholz	myREX24	Affected: 2 , ≤ 2.11.2 (custom)
Helmholz	myREX24.virtual	Affected: 2 , ≤ 2.11.2 (custom)

Date Public

2022-09-07 00:00

Credits

SySS GmbH reported this vulnerability to Helmholz. Helmholz reported this vulnerability to MB connect line. CERT@VDE coordinated with Helmholz & MB connect line.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:14:55.402Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert.vde.com/en/advisories/VDE-2022-039"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert.vde.com/en/advisories/VDE-2022-011"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mymbCONNECT24",
          "vendor": "MB connect line",
          "versions": [
            {
              "lessThanOrEqual": "2.11.2",
              "status": "affected",
              "version": "2",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "mbCONNECT24",
          "vendor": "MB connect line",
          "versions": [
            {
              "lessThanOrEqual": "2.11.2",
              "status": "affected",
              "version": "2",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "myREX24",
          "vendor": "Helmholz",
          "versions": [
            {
              "lessThanOrEqual": "2.11.2",
              "status": "affected",
              "version": "2",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "myREX24.virtual",
          "vendor": "Helmholz",
          "versions": [
            {
              "lessThanOrEqual": "2.11.2",
              "status": "affected",
              "version": "2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "SySS GmbH reported this vulnerability to Helmholz.  Helmholz reported this vulnerability to MB connect line. CERT@VDE coordinated with Helmholz \u0026 MB connect line."
        }
      ],
      "datePublic": "2022-09-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204 Response Discrepancy Information Exposure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-14T14:05:29.000Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert.vde.com/en/advisories/VDE-2022-039"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert.vde.com/en/advisories/VDE-2022-011"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to Version 2.12.1"
        }
      ],
      "source": {
        "advisory": "VDE-2022-011",
        "discovery": "EXTERNAL"
      },
      "title": "User enumeration vulnerability in MB connect line and Helmholz products",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "info@cert.vde.com",
          "DATE_PUBLIC": "2022-09-07T10:00:00.000Z",
          "ID": "CVE-2022-22520",
          "STATE": "PUBLIC",
          "TITLE": "User enumeration vulnerability in MB connect line and Helmholz products"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "mymbCONNECT24",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2",
                            "version_value": "2.11.2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "mbCONNECT24",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2",
                            "version_value": "2.11.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "MB connect line"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "myREX24",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2",
                            "version_value": "2.11.2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "myREX24.virtual",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2",
                            "version_value": "2.11.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Helmholz"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "SySS GmbH reported this vulnerability to Helmholz.  Helmholz reported this vulnerability to MB connect line. CERT@VDE coordinated with Helmholz \u0026 MB connect line."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-204 Response Discrepancy Information Exposure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert.vde.com/en/advisories/VDE-2022-039",
              "refsource": "CONFIRM",
              "url": "https://cert.vde.com/en/advisories/VDE-2022-039"
            },
            {
              "name": "https://cert.vde.com/en/advisories/VDE-2022-011",
              "refsource": "CONFIRM",
              "url": "https://cert.vde.com/en/advisories/VDE-2022-011"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to Version 2.12.1"
          }
        ],
        "source": {
          "advisory": "VDE-2022-011",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2022-22520",
    "datePublished": "2022-09-14T14:05:30.024Z",
    "dateReserved": "2022-01-03T00:00:00.000Z",
    "dateUpdated": "2024-09-17T04:14:21.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-MWVC-VGG7-3665

CVE-2022-22520 (GCVE-0-2022-22520)

Tags

Sightings

Nomenclature