CVE-2022-25770: Insufficient authentication in upgrade flow
First published: Wed Sep 18 2024(Updated: )
# Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qf6m-6m4g-rmrc. This link is maintained to preserve external references. # Original Description Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable.
Credit: security@mautic.org security@mautic.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/mautic/core-lib | >=5.0.0-alpha<5.1.1 | 5.1.1 |
| composer/mautic/core-lib | >=1.0.0-beta3<4.4.13 | 4.4.13 |
| composer/mautic/core | >=5.0.0-alpha<5.1.1 | 5.1.1 |
| composer/mautic/core | >=1.0.0-beta3<4.4.13 | 4.4.13 |
| composer/mautic/core | >=5.0.0<5.1.1 | 5.1.1 |
| Mautic | >=1.0.1<4.4.13 | |
| Mautic | >=5.0.0<5.1.1 | |
| Mautic | =1.0.0 | |
| Mautic | =1.0.0-beta3 | |
| Mautic | =1.0.0-beta4 | |
| Mautic | =1.0.0-rc1 | |
| Mautic | =1.0.0-rc2 | |
| Mautic | =1.0.0-rc3 | |
| Mautic | =1.0.0-rc4 | |
| >=1.0.1<4.4.13 | ||
| >=5.0.0<5.1.1 | ||
| =1.0.0 | ||
| =1.0.0-beta3 | ||
| =1.0.0-beta4 | ||
| =1.0.0-rc1 | ||
| =1.0.0-rc2 | ||
| =1.0.0-rc3 | ||
| =1.0.0-rc4 |
Remedy
Upgrade to 4.4.13 or 5.1.1 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/mautic/mautic/security/advisories/GHSA-qf6m-6m4g-rmrc
- https://nvd.nist.gov/vuln/detail/CVE-2022-25770
- https://github.com/advisories/GHSA-5hc5-fxr9-5frc (Advisory)
- https://github.com/mautic/mautic/commit/73b18e9a434a28e528fe0e3d03620e7367bdcdca
- https://github.com/mautic/mautic/commit/aee7bfb7510a83acf178a7f02da9661c040e9abf
- https://github.com/advisories/GHSA-qf6m-6m4g-rmrc (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-25770?
CVE-2022-25770 is considered a moderate severity vulnerability due to the specific conditions required for exploitation.
How do I fix CVE-2022-25770?
To mitigate CVE-2022-25770, upgrade Mautic to version 5.1.1 or 4.4.13.
What is the impact of CVE-2022-25770?
CVE-2022-25770 may allow unauthorized upgrades leading to potential application vulnerabilities if installed improperly.
Which versions of Mautic are affected by CVE-2022-25770?
Versions of Mautic from 5.0.0 up to 5.1.1 and from 1.0.0-beta3 up to 4.4.13 are affected by CVE-2022-25770.
Is CVE-2022-25770 easy to exploit?
Exploitation of CVE-2022-25770 requires specific system configurations, making it less common.
- agent/remedy
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- source/GitHub
- alias/GHSA-5hc5-fxr9-5frc
- alias/CVE-2022-25770
- agent/software-canonical-lookup
- agent/trending
- agent/source
- collector/github-advisory-latest
- alias/GHSA-qf6m-6m4g-rmrc
- agent/references
- agent/description
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-api
- package-manager/composer
- vendor/acquia
- canonical/mautic
- version/mautic/1.0.1
- version/mautic/5.0.0
- version/mautic/1.0.0
- version/mautic/1.0.0-beta3
- version/mautic/1.0.0-beta4
- version/mautic/1.0.0-rc1
- version/mautic/1.0.0-rc2
- version/mautic/1.0.0-rc3
- version/mautic/1.0.0-rc4