CVE-2022-45166

Vulnerability

Archibus Web Central version 2022.03.01.107 exposes a service that accepts user-controlled parameters to act on returned data. This design flaw allows a basic user to access data unrelated to their role. The vulnerability does not require any special configuration beyond having a valid low-privileged account.

Exploitation

An attacker needs only a basic, authenticated user account on the affected Archibus Web Central instance. No special privileges, network position, or user interaction is required. By manipulating the user-controlled parameters supplied to the exposed service, the attacker can retrieve data that should be restricted to other roles.

Impact

Successful exploitation results in unauthorized disclosure of sensitive information (confidentiality breach). The CVSS vector indicates a HIGH confidentiality impact with no impact on integrity or availability. The attacker gains access to data that is not intended for their assigned role but does not obtain elevated privileges (e.g., administrative rights).

Mitigation

As of the published advisory date (30 November 2022), no patches or official fixes were available from the vendor [1][2]. The vendor was notified on multiple occasions starting 29 July 2022, but no fix has been released. No workarounds are documented in the available references. Administrators should monitor vendor updates for a future patch.