CVE-2022-22733
Published: 20 January 2022
Summary
CVE-2022-22733 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apache Shardingsphere Elasticjob-Ui. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2022-22733 is an exposure of sensitive information vulnerability, tracked under CWE-200, that affects Apache ShardingSphere ElasticJob-UI in the 3.x series up through version 3.0.0. The flaw permits an authenticated but low-privileged user to obtain information that should remain restricted, carrying a CVSS 3.1 score of 6.5 with network attack vector, low complexity, and low required privileges.
An attacker who already possesses a guest account can exploit the issue remotely without user interaction to escalate privileges and read high-value sensitive data from the ElasticJob-UI component.
Advisories addressing the issue have been published by the Apache project and coordinated through public lists at the referenced URLs.
The EPSS score for this CVE reached a peak of 0.8606 and currently stands at 0.7833.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27876
Vulnerability details
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks so a guest account cannot retrieve ElasticJob-UI data that should be restricted.
Requires that guest accounts receive only the minimal privileges needed, blocking the observed privilege-escalation path via information exposure.
Enforces information-flow rules between subjects, preventing unauthorized leakage of sensitive job-configuration data to low-privileged users.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Ubuntu 22.04 (1 rule)
- V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-200
Ubuntu 24.04 (2 rules)
- V-270647 Ubuntu 24.04 LTS must not have the telnet package installed. via CWE-200
- V-270675 Ubuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes. via CWE-200
Windows 10 (1 rule)
- V-220737 Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. via CWE-200
Windows Server 2016 (1 rule)
- V-224974 Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions. via CWE-200
Windows Server 2019 (1 rule)
- V-205743 Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. via CWE-200
Windows Server 2022 (1 rule)
- V-254395 Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. via CWE-200