CVE-2022-41607

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-41607
All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more.

6.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 4.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 Patch Third Party Advisory US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 Patch Third Party Advisory US Government Resource
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:etictelecom:remote_access_server_firmware:*:*:*:*:*:*:*:*
OR cpe:2.3:h:etictelecom:ras-c-100-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-100:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-220:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-400:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-220-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-400-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-480-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ecw-220-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ecw-400-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-100:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-220:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-400:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:rfm-e:-:*:*:*:*:*:*:*
History

21 Nov 2024, 07:23

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5 		v2 : unknown
v3 : 6.2
References () https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 - Patch, Third Party Advisory, US Government Resource () https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 - Patch, Third Party Advisory, US Government Resource

16 Sep 2024, 20:15

Type Values Removed Values Added
Summary (en) All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more. (en) All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more.

28 Dec 2023, 19:15

Type Values Removed Values Added
References (MISC) https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 - (MISC) https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 - Patch, Third Party Advisory, US Government Resource
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
CPE cpe:2.3:h:etictelecom:ras-ew-220:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-c-100-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-100:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-400-lw:-:*:*:*:*:*:*:*
cpe:2.3:o:etictelecom:remote_access_server_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ecw-400-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-220-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-400:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-100:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:rfm-e:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-400:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ecw-220-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-220:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-480-lw:-:*:*:*:*:*:*:*
Summary All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more. All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more.

10 Nov 2022, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-11-10 22:15

Updated : 2024-11-21 07:23

NVD link : CVE-2022-41607

Mitre link : CVE-2022-41607

CVE.ORG link : CVE-2022-41607

JSON object : View

Products Affected

etictelecom

  • ras-ecw-400-lw
  • ras-c-100-lw
  • ras-ew-100
  • ras-e-400
  • ras-ec-400-lw
  • ras-e-220
  • remote_access_server_firmware
  • ras-ew-220
  • ras-ew-400
  • rfm-e
  • ras-ecw-220-lw
  • ras-e-100
  • ras-ec-480-lw
  • ras-ec-220-lw
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')