Improper Enforcement of Behavioral Workflow

CVE-2022-2105

High

9.4/10

Summary

Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a “root” user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: HIGH

CWE-841 - Improper Enforcement of Behavioral Workflow

The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

References

Advisory Timeline

Published Jun 24, 2022

Improper Enforcement of Behavioral Workflow

CVE-2022-2105

Summary

CWE-841 - Improper Enforcement of Behavioral Workflow

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS