Cyber Resilience

CVE-2022-37109

CriticalPublic PoC

Published: 14 November 2022

Published
14 November 2022
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0695 91.6th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37109 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Camp Project Camp. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-37109 is an incorrect access control vulnerability affecting the patrickfuller camp Raspberry Pi camera server through commit bbd53a256ed70e79bd8758080936afbf6d738767. The password.txt file resides in the root directory served by Tornado's StaticFileHandler, allowing the intended 403 restriction rule to be bypassed. In addition, the stored password hash is reused directly as the cookie secret, eliminating any need to crack the hash for authentication.

An unauthenticated remote attacker can retrieve the password hash via the bypassed file access and then forge a valid authentication cookie using that same value. This grants full administrative access to the camera server, enabling arbitrary actions such as viewing or controlling the camera feed without any prior credentials or user interaction.

Public references include a corrective commit that addresses the file exposure and cookie handling, along with proof-of-concept exploits published on GitHub and Packet Storm. The EPSS score has remained flat at 0.0695 with no material increase since disclosure.

EU & UK References

Vulnerability details

patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler and the Tornado rule to throw a…

more

403 error when password.txt is accessed can be bypassed. Furthermore, it is not necessary to crack the password hash to authenticate with the application because the password hash is also used as the cookie secret, so an attacker can generate his own authentication cookie.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

camp project
camp
≤ 2022-07-21

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-522

Training instructs users on protecting credentials from disclosure or unauthorized access.

addresses: CWE-522

Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.

addresses: CWE-522

Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.

addresses: CWE-522

Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.

addresses: CWE-522

Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.

addresses: CWE-522

Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.

addresses: CWE-522

Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.

References