How severe is CVE-2022-44796?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2022-44796?

This is classified as CWE-338, which is a common weakness in software security.

CVE-2022-44796 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically strong sequences. An attacker can predict these sequences and generate a JWT token. As a result, an attacker can get access to the Web UI. This is fixed in Object First Ootbi BETA build 1.0.13.1611.

Related Vulnerabilities

CVE-2009-2367

CRITICAL

CVSS:9.8(Critical)

cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable session IDs, which allows remote attackers to hijack active sessions and gain privileges via brute force guessing attacks on the sess...

CWE-3382009

CVE-2011-4574

CRITICAL

CVSS:9.8(Critical)

PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor's high resolution timer (the RDTSC instruction). Th...

CWE-3382011

CVE-2015-9435

CRITICAL

CVSS:9.8(Critical)

The oauth2-provider plugin before 3.1.5 for WordPress has incorrect generation of random numbers.

CWE-3382015

CVE-2017-18021

CRITICAL

CVSS:9.8(Critical)

It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable passwords. This only applies to the QtPass GUI.

CWE-3382017

CVE-2019-16303

CRITICAL

CVSS:9.8(Critical)

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This al...

CWE-3382019

CVE-2020-28642

CRITICAL

CVSS:9.8(Critical)

In InfiniteWP Admin Panel before 3.1.12.3, resetPasswordSendMail generates a weak password-reset code, which makes it easier for remote attackers to conduct admin Account Takeover attacks.

CWE-3382020