CVE-2022-45186
Published: 07 January 2025
Summary
CVE-2022-45186 is a high-severity an unspecified weakness vulnerability in Salesagility Suitecrm. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Customer Relationship Management Software (T1213.004); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2022-45186 is a vulnerability discovered in SuiteCRM version 7.12.7 that allows authenticated users to recover an arbitrary field from the database. This flaw affects the open-source customer relationship management software SuiteCRM, specifically the 7.12.7 release, enabling unauthorized access to sensitive database content beyond the user's privileges.
The vulnerability can be exploited over the network with low complexity by users with low privileges, such as any authenticated account, requiring no user interaction. Successful exploitation grants high-impact confidentiality by allowing recovery of arbitrary database fields and high-impact integrity by potentially enabling unauthorized modifications, with no impact on availability, as reflected in its CVSS v3.1 base score of 8.1.
Mitigation details are available in the SuiteCRM 7.12.x release documentation, which covers patches and updates for affected versions. Additional resources include the Orange Cyberdefense CVE repository and a corresponding proof-of-concept script demonstrating the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-48094
Vulnerability details
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthorized DB field access in SuiteCRM (CRM software) matches T1213.004 for data exfiltration from information repositories.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent authenticated users from recovering arbitrary database fields beyond their privileges.
Restricts user access to only necessary database fields according to least privilege, directly mitigating unauthorized data recovery.
Requires timely remediation of flaws like CVE-2022-45186 through patching to eliminate the arbitrary field recovery vulnerability.