CVE-2022-22520

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert.vde.com/en/advisories/VDE-2022-011	Third Party Advisory VDB Entry
https://cert.vde.com/en/advisories/VDE-2022-039	Not Applicable

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mbconnectline:mbconnect24::::::::
	cpe:2.3:a:mbconnectline:mymbconnect24::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:helmholz:myrex24::::::::
	cpe:2.3:a:helmholz:myrex24.virtual::::::::

History

16 Sep 2022, 19:19

Type	Values Removed	Values Added
References	~~(CONFIRM) https://cert.vde.com/en/advisories/VDE-2022-011 -~~	(CONFIRM) https://cert.vde.com/en/advisories/VDE-2022-011 - Third Party Advisory, VDB Entry
References	~~(CONFIRM) https://cert.vde.com/en/advisories/VDE-2022-039 -~~	(CONFIRM) https://cert.vde.com/en/advisories/VDE-2022-039 - Not Applicable
First Time		Helmholz Helmholz myrex24 Helmholz myrex24.virtual Mbconnectline mymbconnect24 Mbconnectline mbconnect24 Mbconnectline
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:helmholz:myrex24:::::::: cpe:2.3:a:mbconnectline:mbconnect24:::::::: cpe:2.3:a:helmholz:myrex24.virtual:::::::: cpe:2.3:a:mbconnectline:mymbconnect24::::::::

14 Sep 2022, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-14 14:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-22520

Mitre link : CVE-2022-22520

CVE.ORG link : CVE-2022-22520

JSON object : View

Products Affected

mbconnectline

mymbconnect24
mbconnect24

helmholz

myrex24
myrex24.virtual

CWE

CWE-204

Observable Response Discrepancy

{"id": "CVE-2022-22520", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "info@cert.vde.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-09-14T14:15:12.427", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-011", "tags": ["Third Party Advisory", "VDB Entry"], "source": "info@cert.vde.com"}, {"url": "https://cert.vde.com/en/advisories/VDE-2022-039", "tags": ["Not Applicable"], "source": "info@cert.vde.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "info@cert.vde.com", "description": [{"lang": "en", "value": "CWE-204"}]}], "descriptions": [{"lang": "en", "value": "A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2."}, {"lang": "es", "value": "Un atacante remoto no autenticado puede enumerar usuarios v\u00e1lidos mediante el env\u00edo de peticiones espec\u00edficas al webservice de la l\u00ednea de conexi\u00f3n MB mymbCONNECT24, mbCONNECT24 y Helmholz myREX24 y myREX24.virtual en todas las versiones hasta v2.11.2"}], "lastModified": "2022-10-01T02:33:08.290", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mbconnectline:mbconnect24:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D55D697-78A4-44E3-B6B6-E5349C610148", "versionEndIncluding": "2.11.2"}, {"criteria": "cpe:2.3:a:mbconnectline:mymbconnect24:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04561EEC-B011-46F8-8C56-E5546D0ECD6A", "versionEndIncluding": "2.11.2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:helmholz:myrex24:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8EE3EED2-43AC-4129-B2C8-88DEBFEF8BA0", "versionEndIncluding": "2.11.2"}, {"criteria": "cpe:2.3:a:helmholz:myrex24.virtual:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "847B9BE1-D7E5-4B6B-A59D-282BB58A8B64", "versionEndIncluding": "2.11.2"}], "operator": "OR"}]}], "sourceIdentifier": "info@cert.vde.com"}