Severity: Critical
CVE ID: CVE-2022-36923
Product name | Affected Version(s) | Fixed Version(s) | Fixed On |
---|---|---|---|
OpManager OpManager Plus OpManager MSP Network Configuration Manager NetFlow Analyzer Firewall Analyzer OpUtils |
Customers with builds between 126113 and 126117 | 126118 | 27-07-2022 |
Customers with builds between 126100 and 126103 | 126104 | 28-07-2022 | |
Customers with builds 126000 and 126001 | |||
Customers with build 125664 | 126002 | ||
Customers with builds between 125450 and 125656 | 125657 |
Details:
The lack of proper request handling mechanism had resulted in unauthenticated access of the user API key. This has been fixed now.
Impact:
Anyone can retrieve the API key of a valid user without authentication and can access the external APIs.
Steps to upgrade:
Important steps to follow post product upgrade: It is highly advisable to regenerate the APIKey for all the users once after the upgrade. To regenerate an API key, click on the Personalize/Quick settings (near user icon) icon, select the 'Rest API key' tab and click on the 'Regenerate Key' option.
Source and Acknowledgements
This vulnerability was reported by (Anonymous working with Trend Micro Zero Day Initiative). Find out more about CVE-2022-36923 from the CVE dictionary.
Kindly contact the respective product support teams for further details at the below mentioned email addresses: