CVE-2022-38577
Published: 19 September 2022
Summary
CVE-2022-38577 is a high-severity Improper Preservation of Permissions (CWE-281) vulnerability in Processmaker Processmaker. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ProcessMaker versions prior to 3.5.4 contain insecure permissions on the user profile page, classified under CWE-281. The flaw affects the web-based workflow automation platform and received a CVSS 3.1 score of 8.8.
An authenticated user with normal privileges can exploit the issue over the network without user interaction to modify account settings and elevate themselves to full Administrator rights, thereby gaining complete control over the application instance.
The vendor addressed the vulnerability by releasing version 3.5.4. Public exploit code demonstrating the privilege-escalation path has been posted to Packet Storm, while the current EPSS score of 0.1383 and peak of 0.1404 indicate moderate but stable exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41155
Vulnerability details
ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Forces removal or modification of permissions no longer required after reassignment, preventing improper preservation of old access rights.