[Japanese]
|
JVNDB-2022-000027
|
Hammock AssetView missing authentication for critical functions
|
AssetView provided by Hammock Corporation misses authentication for some critical functions (CWE-306) on the managing server.
Denis Faiustov, Ruslan Sayfiev of GMO Cyber Security by IERAE reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 9.0 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 9.3 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
|
|
Hammock Corporation
- AssetView prior to Ver.13.2.0
|
According to the developer, AssetView CLOUD is not affected by this vulnerability.
|
With some knowledge on the system configuration, a remote attacker may upload a crafted configuration file to the managing server, which results in the managed clients to execute arbitrary code with the administrative privilege.
|
[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released a patch listed below that contains a fix for this vulnerability.
- AssetView Server Communication module Hotfix
According to the developer, patch for the versions prior to Ver.11.0.0 will not be released as the versions are no longer supported.
Therefore, update to Ver.11.0.0 or later, and then apply the patch.
For more information, refer to the information provided by the developer(Text in Japanese).
|
Hammock Corporation
|
- Improper Authentication(CWE-287) [IPA Evaluation]
|
- CVE-2022-28719
|
- JVN : JVN#54857505
- National Vulnerability Database (NVD) : CVE-2022-28719
|
- [2022/04/22]
Web page was published
- [2024/06/20]
References : Content was added
|