CVE-2022-2192

Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.hypr.com/security-advisories/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hypr:hypr_server:*:*:*:*:*:*:*:*

History

27 Jul 2022, 07:23

Type	Values Removed	Values Added
CWE		CWE-425
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
References	~~(MISC) https://www.hypr.com/security-advisories/ -~~	(MISC) https://www.hypr.com/security-advisories/ - Vendor Advisory
CPE		cpe:2.3:a:hypr:hypr_server::::::::

19 Jul 2022, 15:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-07-19 15:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-2192

Mitre link : CVE-2022-2192

CVE.ORG link : CVE-2022-2192

JSON object : View

Products Affected

hypr

hypr_server

CWE

CWE-425

Direct Request ('Forced Browsing')

{"id": "CVE-2022-2192", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@hypr.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2022-07-19T15:15:08.547", "references": [{"url": "https://www.hypr.com/security-advisories/", "tags": ["Vendor Advisory"], "source": "security@hypr.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-425"}]}, {"type": "Secondary", "source": "security@hypr.com", "description": [{"lang": "en", "value": "CWE-425"}]}], "descriptions": [{"lang": "en", "value": "Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de navegaci\u00f3n forzada en HYPR Server versiones 6.10 a 6.15.1, permite a atacantes remotos con un token v\u00e1lido de recuperaci\u00f3n de un solo uso elevar los privilegios por medio de la manipulaci\u00f3n de la ruta en la p\u00e1gina Magic Link. Este problema afecta a: Las versiones de HYPR Server posteriores a 6.10; versiones 6.15.1 y anteriores."}], "lastModified": "2022-07-27T07:23:43.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hypr:hypr_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "109B33EB-E6C1-4759-8B0B-DC848ABE5177", "versionEndIncluding": "6.15.1", "versionStartIncluding": "6.10"}], "operator": "OR"}]}], "sourceIdentifier": "security@hypr.com"}