CVE-2022-43978: Limited Authentication bypass due to hardcoded secret
First published: Fri Jan 27 2023(Updated: )
There is an improper authentication vulnerability in Pandora FMS v764. The application verifies that the user has a valid session when he is not trying to do a login. Since the secret is static in generatePublicHash function, an attacker with knowledge of a valid session can abuse this in order to pass the authentication check.
Credit: cve-coordination@incibe.es
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Artica Pandora FMS | <766 |
Remedy
Fixed in v766
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID of the improper authentication vulnerability in Pandora FMS?
The vulnerability ID is CVE-2022-43978.
What is the severity rating of CVE-2022-43978?
The severity rating of CVE-2022-43978 is medium.
What is the affected software version of CVE-2022-43978?
The affected software version is Pandora FMS v764 up to exclusive version 766.
How can an attacker exploit CVE-2022-43978?
An attacker with knowledge of a valid session can abuse the static secret in the generatePublicHash function.
Where can I find more information about CVE-2022-43978?
You can find more information about CVE-2022-43978 at the following reference: [CVE-2022-43978](https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/)
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/remedy
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/event
- agent/description
- agent/softwarecombine
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/pandorafms
- canonical/artica pandora fms