CVE-2022-22833
Published: 06 February 2022
Summary
CVE-2022-22833 is a high-severity an unspecified weakness vulnerability in Servisnet Tessa. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-22833 is an information disclosure vulnerability affecting Servisnet Tessa version 0.0.2. The flaw allows an unauthenticated remote attacker to retrieve sensitive data by issuing a simple request to the /js/app.js endpoint, which exposes credentials and other internal configuration details without any access controls.
An attacker with network access can exploit the issue to obtain MQTT credentials and related secrets. This enables further attacks such as unauthorized access to messaging infrastructure or lateral movement within the affected environment, consistent with the CVSS 7.5 rating reflecting high confidentiality impact and low attack complexity.
Public exploit code and proof-of-concept reports have been published on sites including Exploit-DB and Packet Storm, confirming the vulnerability can be triggered with a single unauthenticated HTTP request. The associated EPSS score has remained near 0.25 with only minimal fluctuation between its recorded peak and current values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27971
Vulnerability details
An issue was discovered in Servisnet Tessa 0.0.2. An attacker can obtain sensitive information via a /js/app.js request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.