CVE-2022-37146

EPSS 0.35%
Veröffentlicht 08.09.2022 01:15:07
Zuletzt bearbeitet 21.11.2024 07:14:31
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider take significantly longer than those for invalid users, allowing for valid users to be enumerated by an unauthenticated remote attacker. Note that the lockout policy implemented in Plextrac version 1.17.0 makes it impossible to distinguish between valid, locked user accounts and user accounts that do not exist, but does not prevent valid, unlocked users from being enumerated.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Plextrac ≫ Plextrac Version < 1.28.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.569

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

http://plextrac.com

Product

https://www.controlgap.com/blog/a-plextrac-story

Third Party Advisory

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2022-37146

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-37146

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-37146

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-37146