CVE-2022-1606: Incorrect Privilege Assignment

DESCRIPTION:

Incorrect privilege assignment in M-Files Server versions before 23.3.11164.0 and before 23.3.11237.1 allowed reading of unmanaged objects.

AFFECTED PRODUCTS:

All M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1.

MORE INFORMATION:

"See and undelete deleted objects" permission incorrectly gives access to read undeleted unmanaged objects.

CVSS 3.1 Score: 2.4

CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-269 Improper Privilege Management

CAPEC: CAPEC-233 Privilege Escalation

Internal ID: 161409

 

---

Date issued: 2022-11-30

LINKS

https://www.cve.org/CVERecord?id=CVE-2022-1606