CVE-2022-0862

EPSS 0.29%
Published 23.03.2022 15:15:08
Last modified 21.11.2024 06:39:33
Source trellixpsirt@trellix.com
Teams watchlist Login
Open Login

A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from the User Interface in ePO 10 and the API has now been disabled. Other protection is in place to reduce the likelihood of this being successful through sending a link to a logged in user.

Affected products Warnungen 0 Metrics 4 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Mcafee ≫ Epolicy Orchestrator Version < 5.10.0

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Update-

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_1

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_10

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_11

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_12

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_2

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_3

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_4

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_5

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_6

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_7

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_8

Mcafee ≫ Epolicy Orchestrator Version5.10.0 Updateupdate_9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.29%	0.517

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
trellixpsirt@trellix.com	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://kc.mcafee.com/corporate/index?page=content&id=SB10379

https://nvd.nist.gov/vuln/detail/CVE-2022-0862

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-0862

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-0862

EUVD