SB2022082207 - Multiple vulnerabilities in Mealie

Security Bulletin ID SB2022082207

Severity

Medium

Patch available

NO

Number of vulnerabilities 4

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2022-34624)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an improper session termination/expiration flaw. A remote attacker can perform a man-in-the-middle attack and reuse the download token to download arbitrary files.

2) Weak password requirements (CVE-ID: CVE-2022-34615)

The vulnerability allows an attacker to perform brute-force attack and guess the password.

The vulnerability exists due to weak password requirements. A remote attacker can perform a brute-force attack and guess users' passwords.

3) Input validation error (CVE-ID: CVE-2022-34621)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to Insecure Direct Object Reference (IDOR) issue in the user_id parameter. A remote user can perform a brute-force attack and change the password or profile images and other settings of arbitrary users on the system.

4) Information disclosure (CVE-ID: CVE-2022-34623)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a flaw in the authentication process. A remote attacker can send a specially crafted request using improper username and password and gain unauthorized access to sensitive information on the system.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

SB2022082207 - Multiple vulnerabilities in Mealie

Breakdown by Severity

Description

Remediation

References

Please verify you're human