CVE-2022-46163

{"id": "CVE-2022-46163", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-01-10T21:15:12.740", "references": [{"url": "https://github.com/openSUSE/travel-support-program/commit/d22916275c51500b4004933ff1b0a69bc807b2b7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openSUSE/travel-support-program/pull/158", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openSUSE/travel-support-program/security/advisories/GHSA-2wwv-c6xh-cf68", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openSUSE/travel-support-program/commit/d22916275c51500b4004933ff1b0a69bc807b2b7", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/openSUSE/travel-support-program/pull/158", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/openSUSE/travel-support-program/security/advisories/GHSA-2wwv-c6xh-cf68", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Travel support program is a rails app to support the travel support program of openSUSE (TSP). Sensitive user data (bank account details, password Hash) can be extracted via Ransack query injection. Every deployment of travel-support-program below the patched version is affected. The travel-support-program uses the Ransack library to implement search functionality. In its default configuration, Ransack will allow for query conditions based on properties of associated database objects [1]. The `*_start`, `*_end` or `*_cont` search matchers [2] can then be abused to exfiltrate sensitive string values of associated database objects via character-by-character brute-force (A match is indicated by the returned JSON not being empty). A single bank account number can be extracted with <200 requests, a password hash can be extracted with ~1200 requests, all within a few minutes. The problem has been patched in commit d22916275c51500b4004933ff1b0a69bc807b2b7. In order to work around this issue, you can also cherry pick that patch, however it will not work without the Rails 5.0 migration that was done in #150, which in turn had quite a few pull requests it depended on."}, {"lang": "es", "value": "El programa de soporte para viajes es una aplicaci\u00f3n de rails para respaldar el programa de soporte para viajes de openSUSE (TSP). Los datos confidenciales del usuario (detalles de la cuenta bancaria, hash de contrase\u00f1a) se pueden extraer mediante la inyecci\u00f3n de consultas Ransack. Todas las implementaciones del programa de soporte para viajes inferiores a la versi\u00f3n parcheada se ven afectadas. El programa de soporte para viajes utiliza la librer\u00eda Ransack para implementar la funci\u00f3n de b\u00fasqueda. En su configuraci\u00f3n predeterminada, Ransack permitir\u00e1 condiciones de consulta basadas en propiedades de los objetos de la base de datos asociados [1]. Luego se puede abusar de los comparadores de b\u00fasqueda `*_start`, `*_end` o `*_cont` [2] para filtrar valores de cadenas confidenciales de objetos de bases de datos asociados mediante fuerza bruta car\u00e1cter por car\u00e1cter (Una coincidencia se indica porque el JSON devuelto no est\u00e1 vac\u00edo). Se puede extraer un \u00fanico n\u00famero de cuenta bancaria con &lt;200 solicitudes, y un hash de contrase\u00f1a con ~1200 solicitudes, todo en unos pocos minutos. El problema se solucion\u00f3 en el commit d22916275c51500b4004933ff1b0a69bc807b2b7. Para solucionar este problema, tambi\u00e9n puede elegir ese parche; sin embargo, no funcionar\u00e1 sin la migraci\u00f3n de Rails 5.0 que se realiz\u00f3 en el n.\u00b0 150, que a su vez ten\u00eda bastantes solicitudes de extracci\u00f3n de las que depend\u00eda."}], "lastModified": "2024-11-21T07:30:14.233", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:travel_support_program:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69AF7833-9415-4F9C-906C-C944FAA50EE7", "versionEndExcluding": "2022-11-29"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}