Vulnerability Details : CVE-2022-48506
A flawed pseudorandom number generator in Dominion Voting Systems ImageCast Precinct (ICP and ICP2) and ImageCast Evolution (ICE) scanners allows anyone to determine the order in which ballots were cast from public ballot-level data, allowing deanonymization of voted ballots, in several types of scenarios. This issue was observed for use of the following versions of Democracy Suite: 5.2, 5.4-NM, 5.5, 5.5-A, 5.5-B, 5.5-C, 5.5-D, 5.7-A, 5.10, 5.10A, 5.15. NOTE: the Democracy Suite 5.17 EAC Certificate of Conformance mentions "Improved pseudo random number algorithm," which may be relevant.
Products affected by CVE-2022-48506
- cpe:2.3:h:dominionvoting:democracy_suite:5.5-a:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.2:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.4-nm:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.5:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.5-b:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.5-c:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.5-d:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.7-a:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.10:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.10a:*:*:*:*:*:*:*
- cpe:2.3:h:dominionvoting:democracy_suite:5.15:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-48506
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-48506
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.4
|
LOW | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
0.9
|
1.4
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-01-02 |
2.4
|
LOW | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
0.9
|
1.4
|
NIST |
CWE ids for CVE-2022-48506
-
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-48506
-
https://dvsorder.org
The DVSorder VulnerabilityProduct
-
https://www.eac.gov/voting-equipment/democracy-suite-517
Democracy Suite 5.17 | U.S. Election Assistance CommissionProduct;US Government Resource
-
https://www.eac.gov/sites/default/files/voting_system/files/D-Suite%205.17%20Certificate%20and%20Scope%20SIGNED.pdf
Product;US Government Resource
-
https://freedom-to-tinker.com/2023/06/14/security-analysis-of-the-dominion-imagecast-x/
Security Analysis of the Dominion ImageCast X - Freedom to TinkerThird Party Advisory
Jump to