CVE-2022-26308
Vulnerability from cvelistv5
Published
2022-08-01 12:44
Modified
2024-09-17 02:31
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.
References
security@pandorafms.comhttps://pandorafms.com/en/security/common-vulnerabilities-and-exposures/Vendor Advisory
security@pandorafms.comhttps://www.incibe.es/en/cve-assignment-publication/coordinated-cvesThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.incibe.es/en/cve-assignment-publication/coordinated-cvesThird Party Advisory
Impacted products
Vendor Product Version
Artica PFMS Pandora FMS Version: v760   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:03:31.844Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "all"
          ],
          "product": "Pandora FMS",
          "vendor": "Artica PFMS",
          "versions": [
            {
              "lessThanOrEqual": "v760",
              "status": "affected",
              "version": "v760",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2022-05-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-01T12:44:04",
        "orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
        "shortName": "ARTICA"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Fixed in v761"
        }
      ],
      "source": {
        "defect": [
          "4844"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Improper Access Control in Configuration (Credential store)",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@pandorafms.com",
          "DATE_PUBLIC": "2022-05-13T08:00:00.000Z",
          "ID": "CVE-2022-26308",
          "STATE": "PUBLIC",
          "TITLE": "Improper Access Control in Configuration (Credential store)"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Pandora FMS",
                      "version": {
                        "version_data": [
                          {
                            "platform": "all",
                            "version_affected": "\u003c=",
                            "version_name": "v760",
                            "version_value": "v760"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Artica PFMS"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-284 Improper Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/",
              "refsource": "CONFIRM",
              "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
            },
            {
              "name": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves",
              "refsource": "CONFIRM",
              "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Fixed in v761"
          }
        ],
        "source": {
          "defect": [
            "4844"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
    "assignerShortName": "ARTICA",
    "cveId": "CVE-2022-26308",
    "datePublished": "2022-08-01T12:44:04.444400Z",
    "dateReserved": "2022-02-28T00:00:00",
    "dateUpdated": "2024-09-17T02:31:29.597Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-26308\",\"sourceIdentifier\":\"security@pandorafms.com\",\"published\":\"2022-08-01T13:15:10.257\",\"lastModified\":\"2024-11-21T06:53:43.783\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.\"},{\"lang\":\"es\",\"value\":\"Pandora FMS versiones v7.0NG.760 y anteriores, permiten un control de acceso inapropiado en la Configuraci\u00f3n (Almac\u00e9n de credenciales) donde un usuario con el rol de Operador (Escritura) podr\u00eda crear, borrar, visualizar claves existentes que est\u00e1n fuera del rol previsto\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@pandorafms.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@pandorafms.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"7.0_ng_760\",\"matchCriteriaId\":\"F9ACE0CF-C204-470A-B706-969837339CDC\"}]}]}],\"references\":[{\"url\":\"https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/\",\"source\":\"security@pandorafms.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.incibe.es/en/cve-assignment-publication/coordinated-cves\",\"source\":\"security@pandorafms.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.incibe.es/en/cve-assignment-publication/coordinated-cves\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.