CVE-2022-2651
Published: 04 August 2022
Summary
CVE-2022-2651 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Joinbookwyrm Bookwyrm. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-2651 is an authentication bypass vulnerability classified under CWE-305 that affects the BookWyrm social reading platform in the bookwyrm-social/bookwyrm repository prior to version 0.4.5. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with low attack complexity and no required privileges or user interaction, resulting in full impacts to confidentiality, integrity, and availability.
An unauthenticated remote attacker can exploit the weakness to bypass primary authentication controls and obtain complete access to the application instance, enabling arbitrary actions such as data exfiltration, modification of user content, or service disruption.
Public references point to a specific commit that resolves the issue and to a coordinated disclosure on huntr.dev; administrators are therefore advised to upgrade immediately to BookWyrm 0.4.5 or later. A functional proof-of-concept has been published on PacketStorm, and the EPSS score has remained steady at 0.1694 with no subsequent rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34897
Vulnerability details
Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.