Vulnerability Details : CVE-2022-39315
Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.
Products affected by CVE-2022-39315
- cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*
- cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*
- cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*
- cpe:2.3:a:getkirby:kirby:3.8.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:getkirby:kirby:3.8.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:getkirby:kirby:3.8.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:getkirby:kirby:3.8.0:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39315
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39315
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
GitHub, Inc. |
CWE ids for CVE-2022-39315
-
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.Assigned by: security-advisories@github.com (Secondary)
-
The product generates an error message that includes sensitive information about its environment, users, or associated data.Assigned by: nvd@nist.gov (Primary)
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-39315
-
https://github.com/getkirby/kirby/releases/tag/3.6.6.2
Release 3.6.6.2 · getkirby/kirby · GitHubRelease Notes;Third Party Advisory
-
https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f
User enumeration in the brute force protection · Advisory · getkirby/kirby · GitHubThird Party Advisory
-
https://github.com/getkirby/kirby/releases/tag/3.5.8.2
Release 3.5.8.2 · getkirby/kirby · GitHubRelease Notes;Third Party Advisory
-
https://github.com/getkirby/kirby/releases/tag/3.8.1
Release 3.8.1 · getkirby/kirby · GitHubRelease Notes;Third Party Advisory
-
https://github.com/getkirby/kirby/releases/tag/3.7.5.1
Release 3.7.5.1 · getkirby/kirby · GitHubRelease Notes;Third Party Advisory
Jump to