Cyber Resilience

CVE-2022-48366

Low

Published: 12 March 2023

Published
12 March 2023
Modified
04 March 2025
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0023 46.0th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-48366 is a low-severity Race Condition (CWE-362) vulnerability in Ibexa Commerce. Its CVSS base score is 3.7 (Low).

Operationally, ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ibexa
commerce
2.5.0 — 2.5.13 · 3.3.0 — 3.3.18 · 4.0.0 — 4.0.7
ibexa
digital experience platform
3.3.0 — 3.3.20 · 4.0.0 — 4.0.7 · 4.1.0 — 4.1.4
ibexa
ez platform
≤ 2.5.30
ibexa
ezplatform-page-builder
1.3.0 — 1.3.27 · 2.3.0 — 2.3.19
ibexa
jmspaymentcorebundle
3.0.0 — 3.0.2
ibexa
ez platform kernel
1.3.0 — 1.3.19 · 7.5.0 — 7.5.29
ibexa
kernel
4.0.0 — 4.0.7 · 4.1.0 — 4.1.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-362

Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.

addresses: CWE-362

Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.

References