{"containers":{"cna":{"affected":[{"product":"CMDB","vendor":"Device42","versions":[{"lessThan":"18.01.00","status":"affected","version":"unspecified","versionType":"custom"}]}],"credits":[{"lang":"en","value":"Ștefania POPESCU - Team Lead, Security @ Bitdefender"},{"lang":"en","value":"Ionuț LALU - Security Engineer @ Bitdefender"},{"lang":"en","value":"Cristian BUZA - Security Engineer @ Bitdefender"},{"lang":"en","value":"Alexandru LAZĂR - Security Researcher @ Bitdefender"}],"datePublic":"2022-08-16T00:00:00.000Z","descriptions":[{"lang":"en","value":"Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"ADJACENT_NETWORK","availabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-321","description":"CWE-321 Use of Hard-coded Cryptographic Key","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2022-08-16T23:25:12.000Z","orgId":"b3d5ebe7-963e-41fb-98e1-2edaeabb8f82","shortName":"Bitdefender"},"references":[{"tags":["x_refsource_MISC"],"url":"https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"}],"solutions":[{"lang":"en","value":"An update to Device42 CMDB  version 19.01.00 fixes the issue."}],"source":{"discovery":"EXTERNAL"},"title":"Hardcoded encryption key IV in Exago WebReportsApi.dll","x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve-requests@bitdefender.com","DATE_PUBLIC":"2022-08-16T19:00:00.000Z","ID":"CVE-2022-1400","STATE":"PUBLIC","TITLE":"Hardcoded encryption key IV in Exago WebReportsApi.dll"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"CMDB","version":{"version_data":[{"version_affected":"<","version_value":"18.01.00"}]}}]},"vendor_name":"Device42"}]}},"credit":[{"lang":"eng","value":"Ștefania POPESCU - Team Lead, Security @ Bitdefender"},{"lang":"eng","value":"Ionuț LALU - Security Engineer @ Bitdefender"},{"lang":"eng","value":"Cristian BUZA - Security Engineer @ Bitdefender"},{"lang":"eng","value":"Alexandru LAZĂR - Security Researcher @ Bitdefender"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"ADJACENT_NETWORK","availabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-321 Use of Hard-coded Cryptographic Key"}]}]},"references":{"reference_data":[{"name":"https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/","refsource":"MISC","url":"https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"}]},"solution":[{"lang":"en","value":"An update to Device42 CMDB  version 19.01.00 fixes the issue."}],"source":{"discovery":"EXTERNAL"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T00:03:06.249Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"}]}]},"cveMetadata":{"assignerOrgId":"b3d5ebe7-963e-41fb-98e1-2edaeabb8f82","assignerShortName":"Bitdefender","cveId":"CVE-2022-1400","datePublished":"2022-08-16T23:25:12.477Z","dateReserved":"2022-04-19T00:00:00.000Z","dateUpdated":"2024-09-16T22:36:19.528Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}