CVE-2022-29847

In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://community.progress.com/s/article/WhatsUp-Gold-Critical-Product-Alert-May-2022	Vendor Advisory
https://www.progress.com/network-monitoring	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ipswitch:whatsup_gold::::::::
	cpe:2.3:a:ipswitch:whatsup_gold:22.0.0:::::::*

History

No history.

Information

Published : 2022-05-11 18:15

Updated : 2022-05-20 14:36

NVD link : CVE-2022-29847

Mitre link : CVE-2022-29847

CVE.ORG link : CVE-2022-29847

JSON object : View

Products Affected

ipswitch

whatsup_gold

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2022-29847", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-05-11T18:15:29.097", "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Critical-Product-Alert-May-2022", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.progress.com/network-monitoring", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host."}, {"lang": "es", "value": "En Progress Ipswitch WhatsUp Gold versiones 21.0.0 hasta 21.1.1, y 22.0.0, es posible que un atacante no autenticado invoque una transacci\u00f3n de API que le permita transmitir credenciales de usuario de WhatsUp Gold cifradas a un host arbitrario"}], "lastModified": "2022-05-20T14:36:16.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ipswitch:whatsup_gold:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BA6AF5F-7102-45E9-B7D5-B1E1554FC78F", "versionEndIncluding": "21.1.1", "versionStartIncluding": "21.0.0"}, {"criteria": "cpe:2.3:a:ipswitch:whatsup_gold:22.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EBC0E622-05F0-4098-8920-B17644AB9490"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}