Main Vulnerability Database Vulnerabilities #VU75912

#VU75912 Weak password requirements in fwupd - CVE-2022-3287

Published: May 9, 2023

Vulnerability identifier: #VU75912

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-3287

CWE-ID: CWE-521

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
fwupd

Software vendor:
fwupd.org

Description

The vulnerability allows a local user to escalate privileges within the application.

The vulnerability exists due to the way the redfish plugin handles passwords. When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction. A local user can read the configuration file and gain operator privileges.

Remediation

Install updates from vendor's website.

External links

https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091

#VU75912 Weak password requirements in fwupd - CVE-2022-3287

Description

Remediation

External links

Please verify you're human