CVE-2022-37145

The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://plextrac.com	Product
https://www.controlgap.com/blog/a-plextrac-story	Technical Description Third Party Advisory
http://plextrac.com	Product
https://www.controlgap.com/blog/a-plextrac-story	Technical Description Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:plextrac:plextrac:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:14

Type	Values Removed	Values Added
References	~~() http://plextrac.com - Product~~	() http://plextrac.com - Product
References	~~() https://www.controlgap.com/blog/a-plextrac-story - Technical Description, Third Party Advisory~~	() https://www.controlgap.com/blog/a-plextrac-story - Technical Description, Third Party Advisory

Information

Published : 2022-09-08 01:15

Updated : 2024-11-21 07:14

NVD link : CVE-2022-37145

Mitre link : CVE-2022-37145

CVE.ORG link : CVE-2022-37145

JSON object : View

Products Affected

plextrac

plextrac

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2022-37145", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-09-08T01:15:07.450", "references": [{"url": "http://plextrac.com", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://www.controlgap.com/blog/a-plextrac-story", "tags": ["Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://plextrac.com", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.controlgap.com/blog/a-plextrac-story", "tags": ["Technical Description", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider."}, {"lang": "es", "value": "La plataforma PlexTrac versiones anteriores a 1.17.0 no restringe los intentos de autenticaci\u00f3n excesivos para las cuentas configuradas para usar el proveedor de autenticaci\u00f3n PlexTrac. Un atacante remoto no autenticado podr\u00eda llevar a cabo un ataque de fuerza bruta en la p\u00e1gina de inicio de sesi\u00f3n sin l\u00edmite de tiempo o de intento en un intento de obtener credenciales v\u00e1lidas para usuarios de la plataforma configurados para usar el proveedor de autenticaci\u00f3n PlexTrac"}], "lastModified": "2024-11-21T07:14:31.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:plextrac:plextrac:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6DC413C-DC04-4DE8-B407-F14BB7974FC9", "versionEndExcluding": "1.17.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}