CVE-2022-41607

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-41607
All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more.

6.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 4.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 Patch Third Party Advisory US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 Patch Third Party Advisory US Government Resource
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:etictelecom:remote_access_server_firmware:*:*:*:*:*:*:*:*
OR cpe:2.3:h:etictelecom:ras-c-100-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-100:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-220:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-400:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-220-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-400-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-480-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ecw-220-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ecw-400-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-100:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-220:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-400:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:rfm-e:-:*:*:*:*:*:*:*
History

21 Nov 2024, 07:23

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5 		v2 : unknown
v3 : 6.2
References () https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 - Patch, Third Party Advisory, US Government Resource () https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-01 - Patch, Third Party Advisory, US Government Resource

16 Sep 2024, 20:15

Type Values Removed Values Added
Summary (en) All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more. (en) All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more.

28 Dec 2023, 19:15

Type Values Removed Values Added
CPE cpe:2.3:a:etictelecom:remote_access_server:*:*:*:*:*:*:*:* cpe:2.3:o:etictelecom:remote_access_server_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-220:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-100:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ecw-400-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ew-400:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-c-100-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-400:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-100:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-400-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-220-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-e-220:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ecw-220-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:ras-ec-480-lw:-:*:*:*:*:*:*:*
cpe:2.3:h:etictelecom:rfm-e:-:*:*:*:*:*:*:*
First Time Etictelecom ras-ew-400
Etictelecom ras-ecw-400-lw
Etictelecom ras-ew-100
Etictelecom rfm-e
Etictelecom ras-ec-480-lw
Etictelecom ras-e-400
Etictelecom ras-e-220
Etictelecom ras-ew-220
Etictelecom remote Access Server Firmware
Etictelecom ras-e-100
Etictelecom ras-c-100-lw
Etictelecom ras-ec-400-lw
Etictelecom ras-ec-220-lw
Etictelecom ras-ecw-220-lw

23 Aug 2023, 17:15

Type Values Removed Values Added
Summary All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more. All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords, scripts, python objects, database files, and more.
Information

Published : 2022-11-10 22:15

Updated : 2024-11-21 07:23

NVD link : CVE-2022-41607

Mitre link : CVE-2022-41607

CVE.ORG link : CVE-2022-41607

JSON object : View

Products Affected

etictelecom

  • ras-ec-400-lw
  • remote_access_server_firmware
  • rfm-e
  • ras-c-100-lw
  • ras-ew-220
  • ras-ec-480-lw
  • ras-e-400
  • ras-ecw-220-lw
  • ras-ew-400
  • ras-e-220
  • ras-ecw-400-lw
  • ras-e-100
  • ras-ew-100
  • ras-ec-220-lw
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')