Vulnerability Details : CVE-2022-38756
A vulnerability has been identified in Micro Focus GroupWise Web in versions prior to 18.4.2. The GW Web component makes a request to the Post Office Agent that contains sensitive information in the query parameters that could be logged by any intervening HTTP proxies.
Published
2022-12-16 23:15:10
Updated
2023-03-01 18:24:56
Products affected by CVE-2022-38756
- cpe:2.3:a:microfocus:groupwise:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-38756
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-38756
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
Micro Focus International (DEFUNCT) |
CWE ids for CVE-2022-38756
-
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-38756
-
http://seclists.org/fulldisclosure/2023/Jan/28
Full Disclosure: Trovent Security Advisory 2203-01 / Micro Focus GroupWise transmits session ID in URLThird Party Advisory
-
http://packetstormsecurity.com/files/170768/Micro-Focus-GroupWise-Session-ID-Disclosure.html
Micro Focus GroupWise Session ID Disclosure ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://portal.microfocus.com/s/article/KM000012374?language=en_US
CVE-2022-38756 vulnerability in GW Web prior to 18.4.2Vendor Advisory
Jump to