InSTEDD Nuntium geopoll_controller.rb signature timing discrepancy
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.0 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in InSTEDD Nuntium. Impacted is an unknown function of the file app/controllers/geopoll_controller.rb. The manipulation of the argument signature results in timing discrepancy. This vulnerability is reported as CVE-2022-4823. The attack can be launched remotely. No exploit exists. A patch should be applied to remediate this issue.
Details
A vulnerability, which was classified as problematic, was found in InSTEDD Nuntium (affected version not known). Affected is some unknown functionality of the file app/controllers/geopoll_controller.rb. The manipulation of the argument signature with an unknown input leads to a timing discrepancy vulnerability. CWE is classifying the issue as CWE-208. Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. This is going to have an impact on confidentiality.
The weakness was disclosed 12/28/2022 as 77236f7fd71a0e2eefeea07f9866b069d612cf0d. The advisory is available at github.com. This vulnerability is traded as CVE-2022-4823. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.
Applying the patch 77236f7fd71a0e2eefeea07f9866b069d612cf0d is able to eliminate this problem. The bugfix is ready for download at github.com.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Vendor
Name
License
Website
- Product: https://github.com/instedd/nuntium/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.0VulDB Meta Temp Score: 4.0
VulDB Base Score: 3.1
VulDB Temp Score: 3.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.9
NVD Vector: 🔍
CNA Base Score: 3.1
CNA Vector (VulDB): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Timing discrepancyCWE: CWE-208 / CWE-203 / CWE-200
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: 77236f7fd71a0e2eefeea07f9866b069d612cf0d
Timeline
12/28/2022 🔍12/28/2022 🔍
12/28/2022 🔍
01/26/2023 🔍
Sources
Product: github.comAdvisory: 77236f7fd71a0e2eefeea07f9866b069d612cf0d
Status: Confirmed
CVE: CVE-2022-4823 (🔍)
GCVE (CVE): GCVE-0-2022-4823
GCVE (VulDB): GCVE-100-217002
Entry
Created: 12/28/2022 21:56Updated: 01/26/2023 02:42
Changes: 12/28/2022 21:56 (41), 01/26/2023 02:34 (2), 01/26/2023 02:42 (21)
Complete: 🔍
Cache ID: 216::103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.