Hammock AssetView missing authentication for critical functions


AssetView provided by Hammock Corporation misses authentication for some critical functions (CWE-306) on the managing server.

Denis Faiustov, Ruslan Sayfiev of GMO Cyber Security by IERAE reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.0 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 9.3 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products

Hammock Corporation
  • AssetView prior to Ver.13.2.0

According to the developer, AssetView CLOUD is not affected by this vulnerability.

With some knowledge on the system configuration, a remote attacker may upload a crafted configuration file to the managing server, which results in the managed clients to execute arbitrary code with the administrative privilege.

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released a patch listed below that contains a fix for this vulnerability.
  • AssetView Server Communication module Hotfix

According to the developer, patch for the versions prior to Ver.11.0.0 will not be released as the versions are no longer supported.
Therefore, update to Ver.11.0.0 or later, and then apply the patch.

For more information, refer to the information provided by the developer(Text in Japanese).
Vendor Information

Hammock Corporation
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-28719

  1. JVN : JVN#54857505
  2. National Vulnerability Database (NVD) : CVE-2022-28719
Revision History

  • [2022/04/22]
      Web page was published
  • [2024/06/20]
      References : Content was added