CVE-2022-38658

BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102117	Vendor Advisory
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102117	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:hcltech:bigfix_server_automation:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

21 Nov 2024, 07:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 7.7
References	~~() https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102117 - Vendor Advisory~~	() https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102117 - Vendor Advisory

07 Nov 2023, 03:50

Type	Values Removed	Values Added
Summary	BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed.	BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed.

08 Aug 2023, 14:22

Type	Values Removed	Values Added
CWE	~~NVD-CWE-noinfo~~	CWE-311

Information

Published : 2022-12-24 00:15

Updated : 2024-11-21 07:16

NVD link : CVE-2022-38658

Mitre link : CVE-2022-38658

CVE.ORG link : CVE-2022-38658

JSON object : View

Products Affected

hcltech

bigfix_server_automation

microsoft

windows

CWE

CWE-311

Missing Encryption of Sensitive Data

{"id": "CVE-2022-38658", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@hcl.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-12-24T00:15:08.707", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102117", "tags": ["Vendor Advisory"], "source": "psirt@hcl.com"}, {"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102117", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-311"}]}], "descriptions": [{"lang": "en", "value": "BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed.\n"}, {"lang": "es", "value": "Los despliegues de BigFix que han instalado el servicio de notificaci\u00f3n en Windows son susceptibles de revelar datos confidenciales del operador SMTP de BigFix en texto plano. Los operadores que utilizan contenido relacionado con el Servicio de notificaciones de BES Support corren el riesgo de dejar expuestos sus datos confidenciales SMTP."}], "lastModified": "2024-11-21T07:16:52.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:bigfix_server_automation:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A77EF9CE-3CD4-49F8-992C-206363E93794", "versionEndIncluding": "3.2.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@hcl.com"}