CVE-2022-29229

CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account’s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator.

CVSS v3 7.2 HIGH
CVSS v2.0 6.5 MEDIUM

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/cassproject/CASS/releases/tag/1.5.8	Third Party Advisory
https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cassproject:competency_and_skills_system::::::docker::*
	cpe:2.3:a:cassproject:competency_and_skills_system::::::node.js::*

History

No history.

Information

Published : 2022-05-18 21:15

Updated : 2022-06-07 14:28

NVD link : CVE-2022-29229

Mitre link : CVE-2022-29229

CVE.ORG link : CVE-2022-29229

JSON object : View

Products Affected

cassproject

competency_and_skills_system

CWE

NVD-CWE-Other CWE-325

Missing Cryptographic Step

{"id": "CVE-2022-29229", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2022-05-18T21:15:07.757", "references": [{"url": "https://github.com/cassproject/CASS/releases/tag/1.5.8", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-325"}]}], "descriptions": [{"lang": "en", "value": "CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account\u2019s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator."}, {"lang": "es", "value": "CaSS es un sistema de competencias y habilidades. La biblioteca CaSS, (npm:cassproject) presenta un paso criptogr\u00e1fico faltante cuando almacena claves criptogr\u00e1ficas que puede permitir a un administrador del servidor acceder a las claves criptogr\u00e1ficas de una cuenta. Esto afecta a servidores CaSS que usan la autenticaci\u00f3n aut\u00f3noma de nombre de usuario/contrase\u00f1a, que usa un m\u00e9todo que espera la seguridad criptogr\u00e1fica e2e de las credenciales de autorizaci\u00f3n. El problema ha sido parcheado en versi\u00f3n 1.5.8. Sin embargo, las cuentas vulnerables s\u00f3lo vuelven a asegurarse cuando el usuario vuelve a iniciar sesi\u00f3n usando la autenticaci\u00f3n aut\u00f3noma, ya que los datos necesarios para volver a asegurar la cuenta no est\u00e1n disponibles para el servidor. El problema puede mitigarse al usar SSO o certificados del lado del cliente para iniciar la sesi\u00f3n. Tenga en cuenta que la autenticaci\u00f3n SSO y de certificados del lado del cliente no presenta esta expectativa de acceso a credenciales sin conocimiento, y las claves criptogr\u00e1ficas est\u00e1n disponibles para el administrador del servidor"}], "lastModified": "2022-06-07T14:28:50.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cassproject:competency_and_skills_system:*:*:*:*:*:docker:*:*", "vulnerable": true, "matchCriteriaId": "D2D76674-26A6-45E3-8772-CD7DEAEE844E", "versionEndExcluding": "1.5.8"}, {"criteria": "cpe:2.3:a:cassproject:competency_and_skills_system:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BE259B95-B6F7-456F-9445-88AD9ECD62E3", "versionEndExcluding": "1.5.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

7.2 /10