CVE-2022-1401

Name of the Vulnerable Software and Affected Versions Device42 CMDB versions prior to 18.01.00

Description The issue is related to improper access control in the Device42 Asset Management Appliance, specifically in the /Exago/WrImageResource.adx route. This allows an unauthenticated attacker to read sensitive server files with root permissions. The vulnerability is also associated with the db optimize() function in the applmgr/applmgrsite/views.py file, which has inadequate access control, potentially allowing a remote attacker to gain unauthorized access to protected information.

Recommendations For Device42 CMDB versions prior to 18.01.00, update to version 18.01.00 or later to resolve the issue. As a temporary workaround, consider restricting access to the /Exago/WrImageResource.adx route to prevent unauthenticated attackers from reading sensitive server files. Avoid using the db optimize() function in the applmgr/applmgrsite/views.py file until a patch is available, or apply configuration changes to enforce proper access control.