CVE-2022-22551

Published: Jan 21, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session.

Affected (1)

Products: Dell: Emc Appsync

Dell

1 product

Emc Appsync

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dell Emc Appsync	Before 4.4.0.0

Related CWEs

CWE-384

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

CWE-598

Use of GET Request Method With Sensitive Query Strings

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

References (2)

https://www.dell.com/support/kbdoc/000195377

Source: security_alert@emc.com

PatchVendor Advisory

https://www.dell.com/support/kbdoc/000195377

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.