Details of VAR-202204-1359

ID

VAR-202204-1359

CVE

CVE-2022-22190

TITLE

Juniper Networks Paragon Access control error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202204-3414

DESCRIPTION

An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated attacker to leverage a crafted URL to generate PDF reports, potentially containing sensitive configuration information. A feature was introduced in version 3.1 of the Paragon Active Assurance Control Center which allows users to selective share account data using a unique identifier. Knowing the proper format of the URL and the identifier of an existing object in an application it is possible to get access to that object without being logged in, even if the object is not shared, resulting in the opportunity for malicious exfiltration of user data. Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue. This issue affects Juniper Networks Paragon Active Assurance version 3.1.0

Trust: 1.08

sources: NVD: CVE-2022-22190 // VULHUB: VHN-409719 // VULMON: CVE-2022-22190

AFFECTED PRODUCTS

vendor:

juniper

model:

paragon active assurance control center

scope:

version:

3.1.0

Trust: 1.0

sources: NVD: CVE-2022-22190

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22190
value:	HIGH
Trust: 1.0
sirt@juniper.net:	CVE-2022-22190
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202204-3414
value:	HIGH
Trust: 0.6
VULHUB:	VHN-409719
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-22190
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-22190
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-409719
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22190
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
sirt@juniper.net:	CVE-2022-22190
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.0
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-409719 // VULMON: CVE-2022-22190 // CNNVD: CNNVD-202204-3414 // NVD: CVE-2022-22190 // NVD: CVE-2022-22190

PROBLEMTYPE DATA

problemtype:	CWE-639	Trust: 1.0
problemtype:	CWE-284	Trust: 1.0
problemtype:	CWE-863	Trust: 0.1

sources: VULHUB: VHN-409719 // NVD: CVE-2022-22190

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3414

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202204-3414

PATCH

title:	Juniper Networks Paragon Fixes for access control error vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=190392	Trust: 0.6
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-22190 // CNNVD: CNNVD-202204-3414

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22190	Trust: 1.8
db:	JUNIPER	id:	JSA69500	Trust: 1.8
db:	CNNVD	id:	CNNVD-202204-3414	Trust: 0.6
db:	VULHUB	id:	VHN-409719	Trust: 0.1
db:	VULMON	id:	CVE-2022-22190	Trust: 0.1

sources: VULHUB: VHN-409719 // VULMON: CVE-2022-22190 // CNNVD: CNNVD-202204-3414 // NVD: CVE-2022-22190

REFERENCES

url:	https://kb.juniper.net/jsa69500	Trust: 1.8
url:	https://cxsecurity.com/cveshow/cve-2022-22190/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/639.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: VULHUB: VHN-409719 // VULMON: CVE-2022-22190 // CNNVD: CNNVD-202204-3414 // NVD: CVE-2022-22190

SOURCES

db:	VULHUB	id:	VHN-409719
db:	VULMON	id:	CVE-2022-22190
db:	CNNVD	id:	CNNVD-202204-3414
db:	NVD	id:	CVE-2022-22190

LAST UPDATE DATE

2024-08-14T15:21:51.403000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-409719	date:	2022-04-21T00:00:00
db:	VULMON	id:	CVE-2022-22190	date:	2023-06-27T00:00:00
db:	CNNVD	id:	CNNVD-202204-3414	date:	2023-06-28T00:00:00
db:	NVD	id:	CVE-2022-22190	date:	2023-06-27T19:01:00.173

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-409719	date:	2022-04-14T00:00:00
db:	VULMON	id:	CVE-2022-22190	date:	2022-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202204-3414	date:	2022-04-14T00:00:00
db:	NVD	id:	CVE-2022-22190	date:	2022-04-14T16:15:08.230