Cyber Resilience

CVE-2022-39018

High

Published: 31 October 2022

Published
31 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
EPSS Score 0.0039 60.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39018 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in M-Files Hubshare. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 39.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

m-files
hubshare
≤ 3.3.11.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-287

Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.

addresses: CWE-200 CWE-287

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

addresses: CWE-200 CWE-287

Audit record review and analysis can detect unauthorized exposure or access to sensitive information.

addresses: CWE-287 CWE-200

Penetration testing probes authentication mechanisms for bypasses, allowing identification and fixing of improper authentication issues.

addresses: CWE-200 CWE-287

The integrated analysis team enables faster detection and containment of incidents involving unauthorized exposure of sensitive information, limiting attacker success in exploiting such weaknesses.

addresses: CWE-287 CWE-200

Security architectures must specify authentication requirements and approaches, making systemic authentication weaknesses harder to introduce.

addresses: CWE-200 CWE-287

Trained staff understand data-handling requirements and are less likely to expose sensitive information through misconfiguration or poor design.

addresses: CWE-287 CWE-200

Hunting detects anomalous authentication patterns or successful bypasses that allow persistent unauthorized entry.

References