Vulnerability Details : CVE-2022-23655
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation.
Products affected by CVE-2022-23655
- cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
- cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-23655
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-23655
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.6
|
LOW | AV:N/AC:H/Au:N/C:P/I:N/A:N |
4.9
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.6
|
3.6
|
NIST | |
4.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-23655
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-23655
-
https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a
Checks gateway server has a valid signature · octobercms/october@e3b455a · GitHubPatch;Third Party Advisory
-
https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5
Compromised gateway causes data breach · Advisory · octobercms/october · GitHubPatch;Third Party Advisory
Jump to