Cyber Resilience

CVE-2022-2651

CriticalPublic PoC

Published: 04 August 2022

Published
04 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1694 95.1th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2651 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Joinbookwyrm Bookwyrm. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-2651 is an authentication bypass vulnerability classified under CWE-305 that affects the BookWyrm social reading platform in the bookwyrm-social/bookwyrm repository prior to version 0.4.5. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with low attack complexity and no required privileges or user interaction, resulting in full impacts to confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit the weakness to bypass primary authentication controls and obtain complete access to the application instance, enabling arbitrary actions such as data exfiltration, modification of user content, or service disruption.

Public references point to a specific commit that resolves the issue and to a coordinated disclosure on huntr.dev; administrators are therefore advised to upgrade immediately to BookWyrm 0.4.5 or later. A functional proof-of-concept has been published on PacketStorm, and the EPSS score has remained steady at 0.1694 with no subsequent rise.

EU & UK References

Vulnerability details

Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

joinbookwyrm
bookwyrm
≤ 0.4.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References