ID
VAR-202210-0521
CVE
CVE-2022-28866
TITLE
Nokia's airframe bmc web gui r18 Lack of Authentication Vulnerability in Firmware
Trust: 0.8
DESCRIPTION
Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api/settings/*. By not verifying the permissions for access to resources, it allows a potential attacker to view pages, with sensitive data, that are not allowed, and modify system configurations also causing DoS, which should be accessed only by user with administration profile, bypassing all controls (without checking for user identity). Nokia's airframe bmc web gui r18 A lack of authentication vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Nokia AirFrame BMC is a high-performance and energy-efficient solution from Nokia Corporation of Finland. Designed for scalable data centers and heavy workloads. The R18 Firmware v4.13.00 version of Nokia AirFrame BMC Web GUI has a security vulnerability, which stems from the inability to properly authenticate data and functions in all endpoints accessed (or edited) under /#settings/* and /api/settings/* ask
Trust: 1.71
AFFECTED PRODUCTS
| vendor: | nokia | model: | airframe bmc web gui r18 | scope: | lt | version: | 4.13.00 | Trust: 1.0 |
| vendor: | ノキア | model: | airframe bmc web gui r18 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | ノキア | model: | airframe bmc web gui r18 | scope: | eq | version: | airframe bmc web gui r18 firmware 4.13.00 | Trust: 0.8 |
| vendor: | ノキア | model: | airframe bmc web gui r18 | scope: | eq | version: | - | Trust: 0.8 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-862 | Trust: 1.0 |
| problemtype: | Lack of authentication (CWE-862) [NVD evaluation ] | Trust: 0.8 |
| problemtype: | CWE-863 | Trust: 0.1 |
THREAT TYPE
remote
Trust: 0.6
TYPE
other
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2022-28866 | Trust: 3.3 |
| db: | JVNDB | id: | JVNDB-2022-018883 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-202210-602 | Trust: 0.7 |
| db: | VULHUB | id: | VHN-420400 | Trust: 0.1 |
REFERENCES
| url: | https://www.gruppotim.it/it/footer/red-team.html | Trust: 2.5 |
| url: | https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html | Trust: 2.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-28866 | Trust: 1.4 |
| url: | https://cxsecurity.com/cveshow/cve-2022-28866/ | Trust: 0.6 |
SOURCES
| db: | VULHUB | id: | VHN-420400 |
| db: | JVNDB | id: | JVNDB-2022-018883 |
| db: | CNNVD | id: | CNNVD-202210-602 |
| db: | NVD | id: | CVE-2022-28866 |
LAST UPDATE DATE
2024-08-14T14:17:41.026000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-420400 | date: | 2022-10-13T00:00:00 |
| db: | JVNDB | id: | JVNDB-2022-018883 | date: | 2023-10-23T08:14:00 |
| db: | CNNVD | id: | CNNVD-202210-602 | date: | 2022-10-14T00:00:00 |
| db: | NVD | id: | CVE-2022-28866 | date: | 2023-08-08T14:21:49.707 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-420400 | date: | 2022-10-12T00:00:00 |
| db: | JVNDB | id: | JVNDB-2022-018883 | date: | 2023-10-23T00:00:00 |
| db: | CNNVD | id: | CNNVD-202210-602 | date: | 2022-10-11T00:00:00 |
| db: | NVD | id: | CVE-2022-28866 | date: | 2022-10-12T00:15:10.047 |