CVE-2022-29174 – CVE-2022-29174 is a password reset token vulner... (How to Fix)

Q: What is the severity of CVE-2022-29174?

CVE-2022-29174 has a CVSS score of 8.1 (HIGH). CVE-2022-29174 is a password reset token vulnerability in Countly Server that allows attackers who know a user's email/username and full name to guess the reset token and take over accounts. This affects Countly Server installations prior to versions 22.03.7 (new UI) and 21.11.4 (old UI). The vulnerability enables account takeover without requiring initial authentication.

📋 TL;DR

CVE-2022-29174 is a password reset token vulnerability in Countly Server that allows attackers who know a user's email/username and full name to guess the reset token and take over accounts. This affects Countly Server installations prior to versions 22.03.7 (new UI) and 21.11.4 (old UI). The vulnerability enables account takeover without requiring initial authentication.

💻 Affected Systems

Products:

Countly Server

Versions: All versions prior to 22.03.7 (new UI) and 21.11.4 (old UI)

Operating Systems: All platforms running Countly Server

Default Config Vulnerable: ⚠️ Yes

Notes: Both new and old user interface versions are affected, requiring different patch versions.

📦 What is this software?

Countly Server by Count

View all CVEs affecting Countly Server →

Countly Server by Count

View all CVEs affecting Countly Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of administrative accounts leading to data exfiltration, system takeover, and potential lateral movement within the Countly infrastructure.

🟠

Likely Case

Unauthorized access to user accounts, potential data leakage of analytics information, and privilege escalation if administrative accounts are compromised.

🟢

If Mitigated

Limited impact with strong monitoring, multi-factor authentication, and network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH - Countly servers are typically internet-facing analytics platforms, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal deployments still risk account takeover but with reduced external attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires knowledge of target's email/username and full name, which may be obtainable through reconnaissance or social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 22.03.7 for new UI, 21.11.4 for old UI

Vendor Advisory: https://github.com/Countly/countly-server/security/advisories/GHSA-98vh-wqw5-p23v

Restart Required: Yes

Instructions:

1. Identify your Countly Server UI version (new or old). 2. Update to 22.03.7 for new UI or 21.11.4 for old UI. 3. Restart the Countly Server service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Password Reset Functionality

all

Temporarily disable password reset features until patching can be completed.

# Modify Countly configuration to disable password reset
# Specific commands depend on Countly deployment method

Implement Rate Limiting

linux

Add rate limiting to password reset endpoints to prevent brute force attacks.

# Configure web server or application firewall to limit requests to /api/reset endpoints
# Example for nginx: limit_req_zone $binary_remote_addr zone=reset:10m rate=1r/m;

🧯 If You Can't Patch

Implement multi-factor authentication for all user accounts
Monitor authentication logs for suspicious password reset attempts and account lockouts

🔍 How to Verify

Check if Vulnerable:

Check Countly Server version via web interface or configuration files. Versions below 22.03.7 (new UI) or 21.11.4 (old UI) are vulnerable.

Check Version:

# Check Countly version via API: curl -X GET 'http://countly-server/api/status' | grep version

Verify Fix Applied:

Verify version is 22.03.7 or higher for new UI, or 21.11.4 or higher for old UI. Test password reset functionality to ensure tokens are properly randomized.

📡 Detection & Monitoring

Log Indicators:

Multiple failed password reset attempts for same account
Successful password reset from unusual IP addresses
Account login from new location immediately after password reset

Network Indicators:

Unusual volume of requests to /api/reset endpoints
Pattern of sequential token guessing attempts

SIEM Query:

source="countly.log" AND ("password reset" OR "reset token") AND status=200 | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2022-29174

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-640

Published: May 17, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Countly/countly-server/commit/2bfa1ee1fa46e9bb007cf8687ad197ab9c604999 Patch,Third Party Advisory
https://github.com/Countly/countly-server/security/advisories/GHSA-98vh-wqw5-p23v Patch,Third Party Advisory
https://github.com/Countly/countly-server/commit/2bfa1ee1fa46e9bb007cf8687ad197ab9c604999 Patch,Third Party Advisory
https://github.com/Countly/countly-server/security/advisories/GHSA-98vh-wqw5-p23v Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29174, you might also want to check these: