CVE-2022-39315

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

25/10/2022

Last modified:

14/07/2023

Description

Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby&#39;s API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): None

Base Score 3.x

5.30

Severity 3.x

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:getkirby:kirby::::::::		3.5.8.2 (excluding)
cpe:2.3:a:getkirby:kirby::::::::	3.6.0 (including)	3.6.6.2 (excluding)
cpe:2.3:a:getkirby:kirby::::::::	3.7.0 (including)	3.7.5.1 (excluding)
cpe:2.3:a:getkirby:kirby:3.8.0:-::::::
cpe:2.3:a:getkirby:kirby:3.8.0:rc1::::::
cpe:2.3:a:getkirby:kirby:3.8.0:rc2::::::
cpe:2.3:a:getkirby:kirby:3.8.0:rc3::::::

To consult the complete list of CPE names with products and versions, see this page

CVE-2022-39315

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools