Details of VAR-202204-1779

ID

VAR-202204-1779

CVE

CVE-2022-26672

TITLE

ASUSTeK Computer Inc. of Android for webstorage Vulnerability in using hard-coded credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2022-008392

DESCRIPTION

ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information. ASUSTeK Computer Inc. of Android for webstorage Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ASUS WebStorage is an online storage service from ASUS Corporation of China

Trust: 2.34

sources: NVD: CVE-2022-26672 // JVNDB: JVNDB-2022-008392 // CNVD: CNVD-2022-32820 // VULHUB: VHN-417341 // VULMON: CVE-2022-26672

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-32820

AFFECTED PRODUCTS

vendor:	asus	model:	webstorage	scope:	lt	version:	3.10.2	Trust: 1.0
vendor:	asustek computer	model:	webstorage	scope:	eq	version:	-	Trust: 0.8
vendor:	asustek computer	model:	webstorage	scope:	eq	version:	3.10.2	Trust: 0.8
vendor:	asustek computer	model:	webstorage	scope:	-	version:	-	Trust: 0.8
vendor:	asus	model:	webstorage	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-32820 // JVNDB: JVNDB-2022-008392 // NVD: CVE-2022-26672

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-26672
value:	CRITICAL
Trust: 1.0
twcert@cert.org.tw:	CVE-2022-26672
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-26672
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2022-32820
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202204-4260
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-417341
value:	HIGH
Trust: 0.1
VULMON:	CVE-2022-26672
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2022-26672
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-32820
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-417341
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-26672
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
twcert@cert.org.tw:	CVE-2022-26672
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	3.4
version:	3.1
Trust: 1.0
NVD:	CVE-2022-26672
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-32820 // VULHUB: VHN-417341 // VULMON: CVE-2022-26672 // JVNDB: JVNDB-2022-008392 // CNNVD: CNNVD-202204-4260 // NVD: CVE-2022-26672 // NVD: CVE-2022-26672

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.1
problemtype:	Use hard-coded credentials (CWE-798) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-417341 // JVNDB: JVNDB-2022-008392 // NVD: CVE-2022-26672

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-4260

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202204-4260

PATCH

title:	Patch for ASUS WebStorage Android Security Bypass Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/331301	Trust: 0.6
title:	ASUS WebStorage Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190426	Trust: 0.6

sources: CNVD: CNVD-2022-32820 // CNNVD: CNNVD-202204-4260

EXTERNAL IDS

db:	NVD	id:	CVE-2022-26672	Trust: 4.0
db:	JVNDB	id:	JVNDB-2022-008392	Trust: 0.8
db:	CNVD	id:	CNVD-2022-32820	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-4260	Trust: 0.6
db:	VULHUB	id:	VHN-417341	Trust: 0.1
db:	VULMON	id:	CVE-2022-26672	Trust: 0.1

sources: CNVD: CNVD-2022-32820 // VULHUB: VHN-417341 // VULMON: CVE-2022-26672 // JVNDB: JVNDB-2022-008392 // CNNVD: CNNVD-202204-4260 // NVD: CVE-2022-26672

REFERENCES

url:	https://www.twcert.org.tw/tw/cp-132-6041-7bd67-1.html	Trust: 2.6
url:	https://cxsecurity.com/cveshow/cve-2022-26672/	Trust: 1.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-26672	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-32820 // VULHUB: VHN-417341 // VULMON: CVE-2022-26672 // JVNDB: JVNDB-2022-008392 // CNNVD: CNNVD-202204-4260 // NVD: CVE-2022-26672

SOURCES

db:	CNVD	id:	CNVD-2022-32820
db:	VULHUB	id:	VHN-417341
db:	VULMON	id:	CVE-2022-26672
db:	JVNDB	id:	JVNDB-2022-008392
db:	CNNVD	id:	CNNVD-202204-4260
db:	NVD	id:	CVE-2022-26672

LAST UPDATE DATE

2024-11-23T23:07:25.762000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-32820	date:	2022-04-27T00:00:00
db:	VULHUB	id:	VHN-417341	date:	2022-05-04T00:00:00
db:	VULMON	id:	CVE-2022-26672	date:	2022-05-04T00:00:00
db:	JVNDB	id:	JVNDB-2022-008392	date:	2023-07-26T08:25:00
db:	CNNVD	id:	CNNVD-202204-4260	date:	2022-05-05T00:00:00
db:	NVD	id:	CVE-2022-26672	date:	2024-11-21T06:54:18.180

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-32820	date:	2022-04-27T00:00:00
db:	VULHUB	id:	VHN-417341	date:	2022-04-22T00:00:00
db:	VULMON	id:	CVE-2022-26672	date:	2022-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2022-008392	date:	2023-07-26T00:00:00
db:	CNNVD	id:	CNNVD-202204-4260	date:	2022-04-22T00:00:00
db:	NVD	id:	CVE-2022-26672	date:	2022-04-22T07:15:07.510