CVE-2022-26579

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow a root privileged attacker to install unsigned packages. The attacker must have shell access to the device and gain root privileges in order to exploit this vulnerability.

CVSS v3 6.0 MEDIUM

6.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c	Third Party Advisory
https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26579.md
https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/
https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c	Third Party Advisory
https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26579.md
https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:54

Type	Values Removed	Values Added
References	~~() https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - Third Party Advisory~~	() https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - Third Party Advisory
References	~~() https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26579.md -~~	() https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26579.md -
References	~~() https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/ -~~	() https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/ -

23 Apr 2024, 14:15

Type	Values Removed	Values Added
References		() https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/ -

Information

Published : 2022-12-16 22:15

Updated : 2024-11-21 06:54

NVD link : CVE-2022-26579

Mitre link : CVE-2022-26579

CVE.ORG link : CVE-2022-26579

JSON object : View

Products Affected

paxtechnology

a930
paydroid

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2022-26579", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 0.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 0.8}]}, "published": "2022-12-16T22:15:08.827", "references": [{"url": "https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26579.md", "source": "cve@mitre.org"}, {"url": "https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/", "source": "cve@mitre.org"}, {"url": "https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26579.md", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow a root privileged attacker to install unsigned packages. The attacker must have shell access to the device and gain root privileges in order to exploit this vulnerability."}, {"lang": "es", "value": "El dispositivo PAX A930 con PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 puede permitir que un atacante con privilegios de root instale paquetes sin firmar. El atacante debe tener acceso de shell al dispositivo y obtener privilegios de root para poder aprovechar esta vulnerabilidad."}], "lastModified": "2024-11-21T06:54:09.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAC5D8D6-7815-4C59-92A0-1576AB8CCE4A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DB9FB279-F679-4E82-9FA8-56EA001A488C"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}