CVE-2022-36536
Published: 16 September 2022
Summary
CVE-2022-36536 is a critical-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Syncovery Syncovery. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-36536 is a privilege-escalation flaw in the post_applogin.php component of Syncovery 9 for Linux versions 9.47x and earlier. The issue stems from insufficient randomness in session-token generation, classified under CWE-330, and carries a CVSS 3.1 score of 9.8 reflecting network attackability without authentication or user interaction.
An unauthenticated remote attacker can supply crafted session tokens to the affected endpoint and obtain elevated privileges, resulting in full compromise of confidentiality, integrity, and availability on the target system.
The referenced advisory at mgm-sp.com details multiple vulnerabilities in the same product line and points to vendor sites super.com and syncovery.com for updates; no explicit patch or workaround text is supplied in the available references.
The associated EPSS score has remained flat at its peak value of 0.4801 since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-39244
Vulnerability details
An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Key generation under controlled management uses approved random-bit sources rather than insufficiently random values.