CVE-2022-3287

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-3287
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-3287.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-3287
Downstream
Related
Published
2022-09-28T20:15:18Z
Modified
2025-10-21T07:07:28.330814Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file.

References

Affected packages

Git / github.com/fwupd/fwupd

Affected ranges

Type
GIT
Repo
https://github.com/fwupd/fwupd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ea676855f2119e36d433fbd2ed604039f53b2091

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.8.0
0.8.1
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.10
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4

Other

fwupd_0_1_0
fwupd_0_1_1
fwupd_0_1_2

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "main",
            "file": "libfwupdplugin/fu-self-test.c"
        },
        "id": "CVE-2022-3287-1b606760",
        "signature_type": "Function",
        "digest": {
            "length": 6654.0,
            "function_hash": "227917478323252753942772574516484288925"
        }
    },
    {
        "source": "https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "libfwupdplugin/fu-plugin.c"
        },
        "id": "CVE-2022-3287-6f89733f",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "185694364291763376642641409172221107882",
                "233435206009929904409078305488020573124",
                "74499654005614357766165854005290688510",
                "51724551807383385144170535167135777641",
                "277646382442569870382172387158228914313",
                "129557590716005878388210207849088465328",
                "39984794960422302476945206173212967436",
                "96783522183038548586739436693424012024",
                "121505856104040833355480307156763806941",
                "19412089633113111749417454227755956960",
                "109371934755871094335088615757702522254",
                "306565628157472737633719401119601713126",
                "254471677914945781467302013504620918895",
                "160495244318518926839985964936445805787",
                "31970284475940352458706986219287961391",
                "333657930080506697992470144884423918179",
                "242283288313172417285452333850382015749",
                "290613462988412424815698065408901741896",
                "242332176029108878734290747012777413454",
                "197242592975941211741049831712828596721",
                "141270387646378681333192281509487491530",
                "105354130572029313441040541341812459245"
            ]
        }
    },
    {
        "source": "https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "libfwupdplugin/fu-self-test.c"
        },
        "id": "CVE-2022-3287-b43b8230",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "172713642334055919252251013068382982774",
                "319513597485738336899299336342497714212",
                "84298258347774728497669159493267459408",
                "154725807124619395619167265059380744563",
                "123196057370551060642552809795984979096",
                "311861332273394396525935250003739303214",
                "10135743727097914286452478474768985291"
            ]
        }
    },
    {
        "source": "https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "fu_plugin_set_secure_config_value",
            "file": "libfwupdplugin/fu-plugin.c"
        },
        "id": "CVE-2022-3287-d3be6af6",
        "signature_type": "Function",
        "digest": {
            "length": 613.0,
            "function_hash": "215192322070254730145595331785048088985"
        }
    }
]