CVE-2022-25626 (GCVE-0-2022-25626)
Vulnerability from cvelistv5
Published
2022-12-16 00:00
Modified
2025-04-18 13:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Authentication Bypass
Summary
An unauthenticated user can access Identity Manager’s management console specific page URLs. However, the system doesn’t allow the user to carry out server side tasks without a valid web session.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Symantec Identity Governance and Administration |
Version: 14.3, 14.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:50.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/21136"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-25626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T13:31:22.624911Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "CWE-425 Direct Request (\u0027Forced Browsing\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T13:31:49.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Symantec Identity Governance and Administration",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "14.3, 14.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated user can access Identity Manager\u2019s management console specific page URLs. However, the system doesn\u2019t allow the user to carry out server side tasks without a valid web session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T00:00:00.000Z",
"orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
"shortName": "symantec"
},
"references": [
{
"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/21136"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
"assignerShortName": "symantec",
"cveId": "CVE-2022-25626",
"datePublished": "2022-12-16T00:00:00.000Z",
"dateReserved": "2022-02-21T00:00:00.000Z",
"dateUpdated": "2025-04-18T13:31:49.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-25626\",\"sourceIdentifier\":\"secure@symantec.com\",\"published\":\"2022-12-16T16:15:21.553\",\"lastModified\":\"2025-04-18T14:15:17.737\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An unauthenticated user can access Identity Manager\u2019s management console specific page URLs. However, the system doesn\u2019t allow the user to carry out server side tasks without a valid web session.\"},{\"lang\":\"es\",\"value\":\"Un usuario no autenticado puede acceder a las URL de p\u00e1ginas espec\u00edficas de la consola de administraci\u00f3n de Identity Manager. Sin embargo, el sistema no permite al usuario realizar tareas del lado del servidor sin una sesi\u00f3n web v\u00e1lida.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-425\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:broadcom:symantec_identity_governance_and_administration:14.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F02FD4DC-D8DF-4665-A0FC-0B62FA66939E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:broadcom:symantec_identity_governance_and_administration:14.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5715C42F-8629-41C6-96E9-CC6DA8E3ABCE\"}]}]}],\"references\":[{\"url\":\"https://support.broadcom.com/external/content/SecurityAdvisories/0/21136\",\"source\":\"secure@symantec.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://support.broadcom.com/external/content/SecurityAdvisories/0/21136\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://support.broadcom.com/external/content/SecurityAdvisories/0/21136\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:42:50.319Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-25626\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-18T13:31:22.624911Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-425\", \"description\": \"CWE-425 Direct Request (\u0027Forced Browsing\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-18T13:31:44.448Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"Symantec Identity Governance and Administration\", \"versions\": [{\"status\": \"affected\", \"version\": \"14.3, 14.4\"}]}], \"references\": [{\"url\": \"https://support.broadcom.com/external/content/SecurityAdvisories/0/21136\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An unauthenticated user can access Identity Manager\\u2019s management console specific page URLs. However, the system doesn\\u2019t allow the user to carry out server side tasks without a valid web session.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Authentication Bypass\"}]}], \"providerMetadata\": {\"orgId\": \"80d3bcb6-88de-48c2-a47e-aebf795f19b5\", \"shortName\": \"symantec\", \"dateUpdated\": \"2022-12-16T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-25626\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-18T13:31:49.540Z\", \"dateReserved\": \"2022-02-21T00:00:00.000Z\", \"assignerOrgId\": \"80d3bcb6-88de-48c2-a47e-aebf795f19b5\", \"datePublished\": \"2022-12-16T00:00:00.000Z\", \"assignerShortName\": \"symantec\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…