CVE-2022-27192 – CVE-2022-27192 is an information disclosure vul... (How to Fix)

Q: What is the severity of CVE-2022-27192?

CVE-2022-27192 has a CVSS score of 7.5 (HIGH). CVE-2022-27192 is an information disclosure vulnerability in the Reporting module of Aseco Lietuva's DVS Avilys document management system. It allows unauthenticated attackers to download administrative files by impersonating administrators. Organizations using DVS Avilys versions before 3.5.58 are affected.

📋 TL;DR

CVE-2022-27192 is an information disclosure vulnerability in the Reporting module of Aseco Lietuva's DVS Avilys document management system. It allows unauthenticated attackers to download administrative files by impersonating administrators. Organizations using DVS Avilys versions before 3.5.58 are affected.

💻 Affected Systems

Products:

Aseco Lietuva DVS Avilys

Versions: All versions before 3.5.58

Operating Systems: Any OS running DVS Avilys

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Reporting module specifically. No special configuration required for exploitation.

📦 What is this software?

Dvs Avilys by Asseco

View all CVEs affecting Dvs Avilys →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive administrative files, credentials, and system configuration data leading to full system takeover or data breach.

🟠

Likely Case

Unauthorized access to sensitive documents, configuration files, and potentially credentials stored in administrative directories.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation allows remote attackers to access sensitive files without credentials.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability. Public proof-of-concept demonstrates file download capability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.58 and later

Vendor Advisory: https://lt.asseco.com/sprendimai/dokumentu-valdymas/dvs-avilys/

Restart Required: Yes

Instructions:

1. Download DVS Avilys version 3.5.58 or later from official vendor site. 2. Backup current installation and data. 3. Install the updated version following vendor documentation. 4. Restart the DVS Avilys service. 5. Verify functionality post-update.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to DVS Avilys to trusted IP addresses only

iptables -A INPUT -p tcp --dport [DVS_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [DVS_PORT] -j DROP

Web Server Configuration

all

Add authentication requirements to Reporting module endpoints

# Configure web server (Apache/Nginx) to require authentication for /reporting/* paths

🧯 If You Can't Patch

Implement strict network segmentation to isolate DVS Avilys from untrusted networks
Deploy web application firewall (WAF) rules to block unauthorized file download patterns

🔍 How to Verify

Check if Vulnerable:

Attempt to access administrative files via Reporting module endpoints without authentication. Check if version is below 3.5.58.

Check Version:

Check DVS Avilys admin interface or configuration files for version information

Verify Fix Applied:

After patching, attempt the same unauthorized file access attempts - they should fail with proper authentication requirements.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to /reporting/* endpoints
File download patterns from unauthenticated sources
Access to administrative file paths

Network Indicators:

HTTP GET requests to reporting endpoints without authentication headers
Unusual file download patterns from DVS Avilys server

SIEM Query:

source="dvs_avilys_logs" AND (uri_path="/reporting/*" AND NOT auth_success="true")

📊 Metadata

CVE ID: CVE-2022-27192

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: March 23, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/transcendent-group/advisories/blob/main/CVE-2022-27192.md Third Party Advisory
https://lt.asseco.com/sprendimai/dokumentu-valdymas/dvs-avilys/ Product,Vendor Advisory
https://github.com/transcendent-group/advisories/blob/main/CVE-2022-27192.md Third Party Advisory
https://lt.asseco.com/sprendimai/dokumentu-valdymas/dvs-avilys/ Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27192, you might also want to check these: