CVE-2022-22832
📋 TL;DR
CVE-2022-22832 is an authorization bypass vulnerability in Servisnet Tessa where unauthenticated users can access sensitive user data via the /data-service/users/ endpoint. This allows attackers to retrieve authorization information and potentially escalate privileges. Organizations using Servisnet Tessa 0.0.2 are affected.
💻 Affected Systems
- Servisnet Tessa
📦 What is this software?
Tessa by Servisnet
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access, compromise all user accounts, and take full control of the system, potentially leading to data theft, system manipulation, or ransomware deployment.
Likely Case
Attackers harvest user credentials and authorization data, enabling privilege escalation to access sensitive information and perform unauthorized actions within the application.
If Mitigated
With proper network segmentation and access controls, impact is limited to the specific Tessa instance, though credential exposure still poses significant risk.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Block Unauthenticated Access to /data-service/users/
allConfigure web server or firewall to block unauthenticated requests to the vulnerable endpoint
# Example for Apache: RewriteRule ^/data-service/users/.*$ - [F,L]
# Example for Nginx: location ~ ^/data-service/users/ { deny all; }
Implement Authentication Middleware
allAdd authentication checks before processing /data-service/users/ requests
# Implementation depends on application framework
🧯 If You Can't Patch
- Isolate Tessa instance behind a firewall with strict access controls
- Implement network segmentation to limit lateral movement if compromised
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to http://[target]/data-service/users/ without authentication. If it returns user data, the system is vulnerable.Check Version:
Check application version in web interface or configuration filesVerify Fix Applied:
Repeat the vulnerable check. If it returns authentication error or no data, the fix is working.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /data-service/users/ endpoint
- Requests to /data-service/users/ from unauthenticated sessions
Network Indicators:
- HTTP GET requests to /data-service/users/ without authentication headers
- Unusual data exfiltration patterns
SIEM Query:
source="web_server" AND uri="/data-service/users/" AND NOT (auth_token EXISTS OR session_id EXISTS)🔗 References
- http://packetstormsecurity.com/files/165873/Servisnet-Tessa-Privilege-Escalation.html
- http://www.servisnet.com.tr/en/page/products
- https://www.exploit-db.com/exploits/50712
- https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html
- http://packetstormsecurity.com/files/165873/Servisnet-Tessa-Privilege-Escalation.html
- http://www.servisnet.com.tr/en/page/products
- https://www.exploit-db.com/exploits/50712
- https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html
