CVE-2022-29174

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-29174
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29174.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-29174
Related
  • GHSA-98vh-wqw5-p23v
Published
2022-05-17T21:15:08Z
Modified
2025-01-08T14:16:52.015076Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

countly-server is the server-side part of Countly, a product analytics solution. Prior to versions 22.03.7 and 21.11.4, a malicious actor who knows an account email address/username and full name specified in the database is capable of guessing the password reset token. The actor may use this information to reset the password and take over the account. The problem has been patched in Countly Server version 22.03.7 for servers using the new user interface and in 21.11.4 for servers using the old user interface.

References

Affected packages

Git / github.com/countly/countly-server

Affected ranges

Type
GIT
Repo
https://github.com/countly/countly-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

15.*

15.03
15.03.02
15.06
15.08
15.3beta

16.*

16.02
16.02.1
16.06

22.*

22.03.6

Other

SERVER-1658
expand_table_icon_prefix
popup-update

countly-server-v13.*

countly-server-v13.06

v13.*

v13.10

v14.*

v14.08

v16.*

v16.12
v16.12.1
v16.12.2
v16.12.3

v17.*

v17.05
v17.05.1
v17.09

v18.*

v18.01
v18.01.1
v18.04
v18.04.1
v18.08
v18.08.1
v18.08.2

v19.*

v19.02
v19.02.1
v19.08
v19.08.1

v20.*

v20.04
v20.04.1
v20.04.1.2
v20.04.1.3
v20.04.1.4
v20.04.1.5
v20.04.1.7
v20.11
v20.11.1
v20.11.2

v21.*

v21.11
v21.11.1
v21.11.2
v21.11.3

v22.*

v22.03
v22.03.1
v22.03.2
v22.03.3
v22.03.4
v22.03.5
v22.03.6
v22.03.6.1
v22.03.6.2