CVE-2022-29229 - Vulnerability Details

Vendors	Products
Cassproject	Competency And Skills System

Link	Providers
https://github.com/cassproject/CASS/releases/tag/1.5.8
https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx

{"containers": {"cna": {"affected": [{"product": "CASS", "vendor": "cassproject", "versions": [{"status": "affected", "version": "< 1.5.8"}]}], "descriptions": [{"lang": "en", "value": "CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account\u2019s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-325", "description": "CWE-325: Missing Cryptographic Step", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-18T20:55:09.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/cassproject/CASS/releases/tag/1.5.8"}], "source": {"advisory": "GHSA-7qcx-4p32-qcmx", "discovery": "UNKNOWN"}, "title": "Missing Cryptographic Step in cassproject", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-29229", "STATE": "PUBLIC", "TITLE": "Missing Cryptographic Step in cassproject"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CASS", "version": {"version_data": [{"version_value": "< 1.5.8"}]}}]}, "vendor_name": "cassproject"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account\u2019s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-325: Missing Cryptographic Step"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx", "refsource": "CONFIRM", "url": "https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx"}, {"name": "https://github.com/cassproject/CASS/releases/tag/1.5.8", "refsource": "MISC", "url": "https://github.com/cassproject/CASS/releases/tag/1.5.8"}]}, "source": {"advisory": "GHSA-7qcx-4p32-qcmx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.291Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cassproject/CASS/releases/tag/1.5.8"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:07:24.976356Z", "id": "CVE-2022-29229", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T18:25:19.216Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29229", "datePublished": "2022-05-18T20:55:09.000Z", "dateReserved": "2022-04-13T00:00:00.000Z", "dateUpdated": "2025-04-23T18:25:19.216Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cassproject:competency_and_skills_system:*:*:*:*:*:docker:*:*", "matchCriteriaId": "D2D76674-26A6-45E3-8772-CD7DEAEE844E", "versionEndExcluding": "1.5.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:cassproject:competency_and_skills_system:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BE259B95-B6F7-456F-9445-88AD9ECD62E3", "versionEndExcluding": "1.5.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account\u2019s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator."}, {"lang": "es", "value": "CaSS es un sistema de competencias y habilidades. La biblioteca CaSS, (npm:cassproject) presenta un paso criptogr\u00e1fico faltante cuando almacena claves criptogr\u00e1ficas que puede permitir a un administrador del servidor acceder a las claves criptogr\u00e1ficas de una cuenta. Esto afecta a servidores CaSS que usan la autenticaci\u00f3n aut\u00f3noma de nombre de usuario/contrase\u00f1a, que usa un m\u00e9todo que espera la seguridad criptogr\u00e1fica e2e de las credenciales de autorizaci\u00f3n. El problema ha sido parcheado en versi\u00f3n 1.5.8. Sin embargo, las cuentas vulnerables s\u00f3lo vuelven a asegurarse cuando el usuario vuelve a iniciar sesi\u00f3n usando la autenticaci\u00f3n aut\u00f3noma, ya que los datos necesarios para volver a asegurar la cuenta no est\u00e1n disponibles para el servidor. El problema puede mitigarse al usar SSO o certificados del lado del cliente para iniciar la sesi\u00f3n. Tenga en cuenta que la autenticaci\u00f3n SSO y de certificados del lado del cliente no presenta esta expectativa de acceso a credenciales sin conocimiento, y las claves criptogr\u00e1ficas est\u00e1n disponibles para el administrador del servidor"}], "id": "CVE-2022-29229", "lastModified": "2024-11-21T06:58:45.970", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-18T21:15:07.757", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cassproject/CASS/releases/tag/1.5.8"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/cassproject/CASS/releases/tag/1.5.8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-325"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object