CVE-2022-3287

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-3287
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-3287.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-3287
Downstream
Related
Published
2022-09-28T20:15:18Z
Modified
2025-09-19T13:59:12.125324Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file.

References

Affected packages

Git / github.com/fwupd/fwupd

Affected ranges

Type
GIT
Repo
https://github.com/fwupd/fwupd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ea676855f2119e36d433fbd2ed604039f53b2091

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.8.0
0.8.1
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.10
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4

Other

fwupd_0_1_0
fwupd_0_1_1
fwupd_0_1_2

Database specific 

{
    "vanir_signatures": [
        {
            "signature_type": "Function",
            "target": {
                "function": "main",
                "file": "libfwupdplugin/fu-self-test.c"
            },
            "digest": {
                "function_hash": "227917478323252753942772574516484288925",
                "length": 6654.0
            },
            "id": "CVE-2022-3287-1b606760",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "libfwupdplugin/fu-plugin.c"
            },
            "digest": {
                "line_hashes": [
                    "185694364291763376642641409172221107882",
                    "233435206009929904409078305488020573124",
                    "74499654005614357766165854005290688510",
                    "51724551807383385144170535167135777641",
                    "277646382442569870382172387158228914313",
                    "129557590716005878388210207849088465328",
                    "39984794960422302476945206173212967436",
                    "96783522183038548586739436693424012024",
                    "121505856104040833355480307156763806941",
                    "19412089633113111749417454227755956960",
                    "109371934755871094335088615757702522254",
                    "306565628157472737633719401119601713126",
                    "254471677914945781467302013504620918895",
                    "160495244318518926839985964936445805787",
                    "31970284475940352458706986219287961391",
                    "333657930080506697992470144884423918179",
                    "242283288313172417285452333850382015749",
                    "290613462988412424815698065408901741896",
                    "242332176029108878734290747012777413454",
                    "197242592975941211741049831712828596721",
                    "141270387646378681333192281509487491530",
                    "105354130572029313441040541341812459245"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2022-3287-6f89733f",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "libfwupdplugin/fu-self-test.c"
            },
            "digest": {
                "line_hashes": [
                    "172713642334055919252251013068382982774",
                    "319513597485738336899299336342497714212",
                    "84298258347774728497669159493267459408",
                    "154725807124619395619167265059380744563",
                    "123196057370551060642552809795984979096",
                    "311861332273394396525935250003739303214",
                    "10135743727097914286452478474768985291"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2022-3287-b43b8230",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091"
        },
        {
            "signature_type": "Function",
            "target": {
                "function": "fu_plugin_set_secure_config_value",
                "file": "libfwupdplugin/fu-plugin.c"
            },
            "digest": {
                "function_hash": "215192322070254730145595331785048088985",
                "length": 613.0
            },
            "id": "CVE-2022-3287-d3be6af6",
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091"
        }
    ]
}