CVE-2022-26314

A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf	Mitigation Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mendix:forgot_password::::::::
	cpe:2.3:a:mendix:forgot_password::::::::

History

11 Mar 2022, 19:04

Type	Values Removed	Values Added
CWE		CWE-307
CPE		cpe:2.3:a:mendix:forgot_password::::::::
References	~~(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf -~~	(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf - Mitigation, Patch, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8
First Time		Mendix forgot Password Mendix

08 Mar 2022, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-08 12:15

Updated : 2023-12-10 14:22

NVD link : CVE-2022-26314

Mitre link : CVE-2022-26314

CVE.ORG link : CVE-2022-26314

JSON object : View

Products Affected

mendix

forgot_password

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2022-26314", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-03-08T12:15:11.823", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}]}, {"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en el m\u00f3dulo Mendix Forgot Password Appstore (Todas las versiones posteriores a V3.3.0 incluy\u00e9ndola, anteriores a V3.5.1), m\u00f3dulo Mendix Forgot Password Appstore (compatible con Mendix 7) (Todas las versiones anteriores a V3.2.2). Las contrase\u00f1as iniciales son generadas de forma no segura. Esto podr\u00eda permitir a un atacante remoto no autenticado forzar eficazmente las contrase\u00f1as en situaciones espec\u00edficas"}], "lastModified": "2022-03-11T19:04:08.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mendix:forgot_password:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8678901-6B8E-4022-8CE0-B00F6F2D51BD", "versionEndExcluding": "3.2.2"}, {"criteria": "cpe:2.3:a:mendix:forgot_password:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "394B806B-A2A7-4BA4-B7DC-08756FA27908", "versionEndExcluding": "3.5.1", "versionStartIncluding": "3.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}