CVE-2022-29229 — MEDIUM (6.3)

Q: How severe is CVE-2022-29229?

CVE-2022-29229 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-29229?

Check the references section above for vendor advisories and patch information. Affected products include: Cassproject Competency And Skills System.

Vulnerability Description

CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account’s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator.

CVSS Score

6.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Cassproject	Competency And Skills System	< 1.5.8

Related Weaknesses (CWE)

CWE-325

References

https://github.com/cassproject/CASS/releases/tag/1.5.8Third Party Advisory
https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmxThird Party Advisory
https://github.com/cassproject/CASS/releases/tag/1.5.8Third Party Advisory
https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmxThird Party Advisory

FAQ

What is CVE-2022-29229?

CVE-2022-29229 is a vulnerability with a CVSS score of 6.3 (MEDIUM). CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account’s cr...

How severe is CVE-2022-29229?

CVE-2022-29229 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-29229?

Check the references section above for vendor advisories and patch information. Affected products include: Cassproject Competency And Skills System.