CVE-2022-2192

Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.hypr.com/security-advisories/	Vendor Advisory
https://www.hypr.com/security-advisories/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hypr:hypr_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:00

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 7.5
References	~~() https://www.hypr.com/security-advisories/ - Vendor Advisory~~	() https://www.hypr.com/security-advisories/ - Vendor Advisory

Information

Published : 2022-07-19 15:15

Updated : 2024-11-21 07:00

NVD link : CVE-2022-2192

Mitre link : CVE-2022-2192

CVE.ORG link : CVE-2022-2192

JSON object : View

Products Affected

hypr

hypr_server

CWE

CWE-425

Direct Request ('Forced Browsing')

{"id": "CVE-2022-2192", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@hypr.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-07-19T15:15:08.547", "references": [{"url": "https://www.hypr.com/security-advisories/", "tags": ["Vendor Advisory"], "source": "security@hypr.com"}, {"url": "https://www.hypr.com/security-advisories/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@hypr.com", "description": [{"lang": "en", "value": "CWE-425"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-425"}]}], "descriptions": [{"lang": "en", "value": "Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de navegaci\u00f3n forzada en HYPR Server versiones 6.10 a 6.15.1, permite a atacantes remotos con un token v\u00e1lido de recuperaci\u00f3n de un solo uso elevar los privilegios por medio de la manipulaci\u00f3n de la ruta en la p\u00e1gina Magic Link. Este problema afecta a: Las versiones de HYPR Server posteriores a 6.10; versiones 6.15.1 y anteriores."}], "lastModified": "2024-11-21T07:00:30.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hypr:hypr_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "109B33EB-E6C1-4759-8B0B-DC848ABE5177", "versionEndIncluding": "6.15.1", "versionStartIncluding": "6.10"}], "operator": "OR"}]}], "sourceIdentifier": "security@hypr.com"}