PT-2022-19270 · Nokia · Nokia Airframe Bmc Web Gui
Andrea Carlo Maria Dattola
+1
·
Published
2022-10-11
·
Updated
2023-08-08
·
CVE-2022-28866
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nokia AirFrame BMC Web GUI versions prior to R18 Firmware v4.13.00
Description
A security issue was found in the software, related to improper access control. It does not correctly validate requests to access or edit data and functionality in certain API endpoints, such as "/#settings/" and "/api/settings/". This allows a potential attacker to view sensitive data and modify system configurations, which could lead to denial of service (DoS), without being checked for user identity or permissions.
Recommendations
For Nokia AirFrame BMC Web GUI versions prior to R18 Firmware v4.13.00, update to R18 Firmware v4.13.00 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/#settings/" and "/api/settings/" endpoints to minimize the risk of exploitation.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nokia Airframe Bmc Web Gui