CVE-2022-37109
Published: 14 November 2022
Summary
CVE-2022-37109 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Camp Project Camp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-37109 is an incorrect access control vulnerability affecting the patrickfuller camp Raspberry Pi camera server through commit bbd53a256ed70e79bd8758080936afbf6d738767. The password.txt file resides in the root directory served by Tornado's StaticFileHandler, allowing the intended 403 restriction rule to be bypassed. In addition, the stored password hash is reused directly as the cookie secret, eliminating any need to crack the hash for authentication.
An unauthenticated remote attacker can retrieve the password hash via the bypassed file access and then forge a valid authentication cookie using that same value. This grants full administrative access to the camera server, enabling arbitrary actions such as viewing or controlling the camera feed without any prior credentials or user interaction.
Public references include a corrective commit that addresses the file exposure and cookie handling, along with proof-of-concept exploits published on GitHub and Packet Storm. The EPSS score has remained flat at 0.0695 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-39762
Vulnerability details
patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler and the Tornado rule to throw a…
more
403 error when password.txt is accessed can be bypassed. Furthermore, it is not necessary to crack the password hash to authenticate with the application because the password hash is also used as the cookie secret, so an attacker can generate his own authentication cookie.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Training instructs users on protecting credentials from disclosure or unauthorized access.
Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.
Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.
Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.
Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.
Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.
Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.