CVE-2022-37109

patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler and the Tornado rule to throw a 403 error when password.txt is accessed can be bypassed. Furthermore, it is not necessary to crack the password hash to authenticate with the application because the password hash is also used as the cookie secret, so an attacker can generate his own authentication cookie.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://packetstormsecurity.com/files/171478/Raspberry-Pi-Camera-Server-1.0-Authentication-Bypass.html
https://github.com/ehtec/camp-exploit	Third Party Advisory
https://github.com/patrickfuller/camp/commit/bf6af5c2e5cf713e4050c11c52dd4c55e89880b1	Patch Third Party Advisory
https://medium.com/%40elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904

Configurations

Configuration 1 (hide)

cpe:2.3:a:camp_project:camp:*:*:*:*:*:*:*:*

History

07 Nov 2023, 03:49

Type	Values Removed	Values Added
References	{'url': 'https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904', 'name': 'https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904', 'tags': ['Exploit', 'Third Party Advisory'], 'refsource': 'MISC'}	() https://medium.com/%40elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904 -

Information

Published : 2022-11-14 21:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-37109

Mitre link : CVE-2022-37109

CVE.ORG link : CVE-2022-37109

JSON object : View

Products Affected

camp_project

camp

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2022-37109", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-11-14T21:15:13.920", "references": [{"url": "http://packetstormsecurity.com/files/171478/Raspberry-Pi-Camera-Server-1.0-Authentication-Bypass.html", "source": "cve@mitre.org"}, {"url": "https://github.com/ehtec/camp-exploit", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/patrickfuller/camp/commit/bf6af5c2e5cf713e4050c11c52dd4c55e89880b1", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://medium.com/%40elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler and the Tornado rule to throw a 403 error when password.txt is accessed can be bypassed. Furthermore, it is not necessary to crack the password hash to authenticate with the application because the password hash is also used as the cookie secret, so an attacker can generate his own authentication cookie."}, {"lang": "es", "value": "El patrickfuller camp hasta el commit bbd53a256ed70e79bd8758080936afbf6d738767 incluido es vulnerable a un control de acceso incorrecto. El acceso al archivo contrase\u00f1a.txt no est\u00e1 restringido adecuadamente ya que est\u00e1 en el servidor de directorios root por StaticFileHandler y se puede omitir la regla Tornado para generar un error 403 cuando se accede a contrase\u00f1a.txt. Adem\u00e1s, no es necesario descifrar el hash de la contrase\u00f1a para autenticarse con la aplicaci\u00f3n porque el hash de la contrase\u00f1a tambi\u00e9n se utiliza como cookie secreta, por lo que un atacante puede generar su propia cookie de autenticaci\u00f3n."}], "lastModified": "2023-11-07T03:49:44.660", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:camp_project:camp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2DD29B44-1261-4C93-9B90-E9A152929D35", "versionEndExcluding": "2022-07-21"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}