CVE-2022-36781

ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exploit this vulnerability to gain unauthorized access by repeatedly attempting access code combinations. ConnectWise has addressed this issue in later versions by implementing rate-limiting controls as a preventive measure against brute force attacks.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.gov.il/en/Departments/faq/cve_advisories	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-09-28 20:15

Updated : 2024-03-19 18:04

NVD link : CVE-2022-36781

Mitre link : CVE-2022-36781

CVE.ORG link : CVE-2022-36781

JSON object : View

Products Affected

connectwise

screenconnect

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2022-36781", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cna@cyber.gov.il", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-09-28T20:15:11.857", "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["Third Party Advisory"], "source": "cna@cyber.gov.il"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exploit this vulnerability to gain unauthorized access by repeatedly attempting access code combinations. ConnectWise has addressed this issue in later versions by implementing rate-limiting controls as a preventive measure against brute force attacks.\n\n"}, {"lang": "es", "value": "WiseConnect - Una Omisi\u00f3n de C\u00f3digo de Cesi\u00f3n de ScreenConnect. Un atacante tendr\u00eda que usar un proxy para monitorizar el tr\u00e1fico, y llevar a cabo una fuerza bruta en el c\u00f3digo de sesi\u00f3n para poder entrar. Datos confidenciales sobre la empresa , entrar en una sesi\u00f3n"}], "lastModified": "2024-03-19T18:04:31.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3298FD82-256A-462F-BA65-FAF3DF1BC6ED", "versionEndExcluding": "22.7"}], "operator": "OR"}]}], "sourceIdentifier": "cna@cyber.gov.il"}