CVE-2022-3322

Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by WARP iOS client, this feature could be bypassed by using the "Disable WARP" quick action.

CVSS v3 6.7 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.5 / Impact : 4.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/cloudflare/advisories/security/advisories/GHSA-76pg-rp9h-wmcj	Third Party Advisory
https://github.com/cloudflare/advisories/security/advisories/GHSA-76pg-rp9h-wmcj	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cloudflare:warp_mobile_client:*:*:*:*:*:iphone_os:*:*

History

21 Nov 2024, 07:19

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 6.7
References	~~() https://github.com/cloudflare/advisories/security/advisories/GHSA-76pg-rp9h-wmcj - Third Party Advisory~~	() https://github.com/cloudflare/advisories/security/advisories/GHSA-76pg-rp9h-wmcj - Third Party Advisory

07 Nov 2023, 03:51

Type	Values Removed	Values Added
Summary	Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by WARP iOS client, this feature could be bypassed by using the "Disable WARP" quick action.	Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by WARP iOS client, this feature could be bypassed by using the "Disable WARP" quick action.

Information

Published : 2022-10-28 10:15

Updated : 2024-11-21 07:19

NVD link : CVE-2022-3322

Mitre link : CVE-2022-3322

CVE.ORG link : CVE-2022-3322

JSON object : View

Products Affected

cloudflare

warp_mobile_client

CWE

CWE-862

Missing Authorization

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2022-3322", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@cloudflare.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.7, "exploitabilityScore": 1.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-10-28T10:15:17.277", "references": [{"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-76pg-rp9h-wmcj", "tags": ["Third Party Advisory"], "source": "cna@cloudflare.com"}, {"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-76pg-rp9h-wmcj", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@cloudflare.com", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "Lock Warp switch is a feature of Zero Trust platform which, when\n enabled, prevents users of enrolled devices from disabling WARP client.\n Due to insufficient policy verification by WARP iOS client, this \nfeature could be bypassed by using the \"Disable WARP\" quick action.\n\n\n\n"}, {"lang": "es", "value": "El interruptor Lock Warp es una caracter\u00edstica de la plataforma Zero Trust que, cuando est\u00e1 habilitada, evita que los usuarios de dispositivos registrados deshabiliten el cliente WARP. Debido a una verificaci\u00f3n insuficiente de la pol\u00edtica por parte del cliente WARP iOS, esta caracter\u00edstica podr\u00eda omitirse mediante la acci\u00f3n r\u00e1pida \"\"Desactivar WARP\"\"."}], "lastModified": "2024-11-21T07:19:17.633", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:warp_mobile_client:*:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "1150BB9C-25CC-4DD9-9CEB-C5B30AA39D1C", "versionEndExcluding": "6.14"}], "operator": "OR"}]}], "sourceIdentifier": "cna@cloudflare.com"}