Add CVE-2022-23055

2025-08-04 08:44:25 +00:00 · 2022-06-22 11:21:55 +03:00 · 2022-06-22 11:21:55 +03:00 · 92909f135f
commit 92909f135f
parent 6c7dda383a
1 changed files with 83 additions and 14 deletions
--- a/2022/23xxx/CVE-2022-23055.json
+++ b/2022/23xxx/CVE-2022-23055.json
@ -1,18 +1,87 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
-    "CVE_data_meta": {
-        "ID": "CVE-2022-23055",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
-    },
-    "description": {
-        "description_data": [
-            {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+  "CVE_data_meta" : {
+    "ASSIGNER" : "vulnerabilitylab@mend.io",
+    "ID" : "CVE-2022-23055",
+    "STATE" : "PUBLIC",
+    "DATE_PUBLIC" : "Mar 9, 2022, 12:00:00 AM",
+    "TITLE" : "ERPNext - Improper user access conrol"
+  },
+  "affects" : {
+    "vendor" : {
+      "vendor_data" : [ {
+        "vendor_name" : "frappe",
+        "product" : {
+          "product_data" : [ {
+            "product_name" : "frappe",
+            "version" : {
+              "version_data" : [ {
+                "version_value" : "v11.0.3-beta.1",
+                "version_affected" : ">="
+              }, {
+                "version_value" : "v13.14.1",
+                "version_affected" : "<="
+              } ]
            }
-        ]
+          } ]
+        }
+      } ]
    }
+  },
+  "credit" : [ {
+    "lang" : "eng",
+    "value" : "Mend Vulnerability Research Team (MVR)"
+  } ],
+  "data_format" : "MITRE",
+  "data_type" : "CVE",
+  "data_version" : "4.0",
+  "description" : {
+    "description_data" : [ {
+      "lang" : "eng",
+      "value" : "In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users."
+    } ]
+  },
+  "generator" : {
+    "engine" : "Vulnogram 0.0.9"
+  },
+  "impact" : {
+    "cvss" : {
+      "vectorString" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
+      "attackComplexity" : "LOW",
+      "attackVector" : "NETWORK",
+      "availabilityImpact" : "NONE",
+      "confidentialityImpact" : "LOW",
+      "integrityImpact" : "LOW",
+      "privilegesRequired" : "LOW",
+      "scope" : "UNCHANGED",
+      "userInteraction" : "NONE",
+      "version" : 3.1,
+      "baseScore" : 5.4,
+      "baseSeverity" : "MEDIUM"
+    }
+  },
+  "references" : {
+    "reference_data" : [ {
+      "refsource" : "MISC",
+      "url" : "https://www.mend.io/vulnerability-database/CVE-2022-23055"
+    }, {
+      "refsource" : "CONFIRM",
+      "url" : "https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L134,https://github.com/frappe/frappe/blob/v13.0.2/frappe/chat/doctype/chat_message/chat_message.py#L155"
+    } ]
+  },
+  "problemtype" : {
+    "problemtype_data" : [ {
+      "description" : [ {
+        "lang" : "eng",
+        "value" : "CWE-862 Missing Authorization"
+      } ]
+    } ]
+  },
+  "solution" : [ {
+    "lang" : "eng",
+    "value" : "Update version to v13.1.0 or later"
+  } ],
+  "source" : {
+    "advisory" : "https://www.mend.io/vulnerability-database/",
+    "discovery" : "UNKNOWN"
+  }
 }