{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39039", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "dateUpdated": "2025-04-10T15:34:48.454Z", "dateReserved": "2022-08-30T00:00:00.000Z", "datePublished": "2023-01-03T00:00:00.000Z"}, "containers": {"cna": {"title": "aEnrich a+HRD - Server-Side Request Forgery (SSRF)", "datePublic": "2022-12-14T00:00:00.000Z", "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2023-01-03T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "aEnrich\u2019s a+HRD has inadequate filtering for specific URL parameter. An unauthenticated remote attacker can exploit this vulnerability to send arbitrary HTTP(s) request to launch Server-Side Request Forgery (SSRF) attack, to perform arbitrary system command or disrupt service."}], "affected": [{"vendor": "aEnrich", "product": "a+HRD", "versions": [{"version": "6.8", "status": "affected", "lessThanOrEqual": "7.0", "versionType": "custom"}]}], "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6792-c4a62-1.html"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "TVN-202210019", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T11:10:32.391Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6792-c4a62-1.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T15:34:28.031976Z", "id": "CVE-2022-39039", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T15:34:48.454Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39039", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "dateUpdated": "2025-04-10T15:34:48.454Z", "dateReserved": "2022-08-30T00:00:00.000Z", "datePublished": "2023-01-03T00:00:00.000Z"}, "containers": {"cna": {"title": "aEnrich a+HRD - Server-Side Request Forgery (SSRF)", "datePublic": "2022-12-14T00:00:00.000Z", "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2023-01-03T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "aEnrich\u2019s a+HRD has inadequate filtering for specific URL parameter. An unauthenticated remote attacker can exploit this vulnerability to send arbitrary HTTP(s) request to launch Server-Side Request Forgery (SSRF) attack, to perform arbitrary system command or disrupt service."}], "affected": [{"vendor": "aEnrich", "product": "a+HRD", "versions": [{"version": "6.8", "status": "affected", "lessThanOrEqual": "7.0", "versionType": "custom"}]}], "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6792-c4a62-1.html"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "TVN-202210019", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T11:10:32.391Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6792-c4a62-1.html", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39039", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-10T15:34:28.031976Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T15:34:43.963Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aenrich:a\\+hrd:6.8:*:*:*:*:*:*:*", "matchCriteriaId": "CFF0E4AE-57D2-4778-8E19-77F585F85EE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:aenrich:a\\+hrd:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "E60AA81B-7D96-4771-902A-FACF58130D97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "aEnrich\u2019s a+HRD has inadequate filtering for specific URL parameter. An unauthenticated remote attacker can exploit this vulnerability to send arbitrary HTTP(s) request to launch Server-Side Request Forgery (SSRF) attack, to perform arbitrary system command or disrupt service."}, {"lang": "es", "value": "a+HRD de aEnrich tiene un filtrado inadecuado para par\u00e1metros de URL espec\u00edficos. Un atacante remoto no autenticado puede aprovechar esta vulnerabilidad para enviar solicitudes HTTP arbitrarias para lanzar un ataque de Server-Side Request Forgery (SSRF), ejecutar comandos arbitrarios del sistema o interrumpir el servicio."}], "id": "CVE-2022-39039", "lastModified": "2024-11-21T07:17:25.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2023-01-03T03:15:09.610", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.twcert.org.tw/tw/cp-132-6792-c4a62-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.twcert.org.tw/tw/cp-132-6792-c4a62-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "twcert@cert.org.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}