Vulnerability CVE-2022-32222 - CERT Civis.Net

Vulnerability Name:

CVE-2022-32222 (CCN-230662)

Assigned:

2022-07-07

Published:

2022-07-07

Updated:

2023-07-24

Summary:

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2022-32222

Source: XF
Type: UNKNOWN
nodejs-cve202232222-sec-bypass(230662)

Source: support@hackerone.com
Type: Exploit
support@hackerone.com

Source: CCN
Type: Node.js Blog, 2022-07-07
July 7th 2022 Security Releases

Source: CCN
Type: Node.js Blog, 2022-09-23
September 22nd 2022 Security Releases

Source: CCN
Type: IBM Security Bulletin 6603049 (Answer Retrieval for Watson Discovery)
IBM Answer Retrieval for Watson Discovery is vulnerable to HTTP request smuggling due to NodeJS

Source: CCN
Type: IBM Security Bulletin 6611585 (Cloud Pak for Integration)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6619919 (Spectrum Protect Plus)
Multiple vulnerabilities in Node.js may affect IBM Spectrum Protect Plus (CVE-2022-32223, CVE-2022-32215, CVE-2022-33987, CVE-2022-32213, CVE-2022-32212, CVE-2022-32222, CVE-2022-32214)

Source: CCN
Type: IBM Security Bulletin 6825155 (Watson Assistant for Cloud Pak for data)
Multiple Vulnerabilities in node.js

Source: CCN
Type: IBM Security Bulletin 6825561 (Event Streams)
Multiple vulnerabilities in Node.js affect IBM Event Streams

Source: CCN
Type: IBM Security Bulletin 6833888 (Business Automation Workflow traditional)
Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow

Source: CCN
Type: IBM Security Bulletin 6840919 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6841799 (Planning Analytics Workspace)
IBM Planning Analytics Workspace is affected by vulnerabilities in Node.js and Spring Data MongoDB

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:nodejs:node.js:14.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*

OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*

OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*

OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*

Denotes that component is vulnerable