CVE-2022-30359
📋 TL;DR
OvalEdge versions 5.2.8.0 and earlier expose sensitive user data through an authenticated GET request to /user/getUserList. This vulnerability allows authenticated attackers to retrieve comprehensive user information including personal details, email addresses, and system roles. Organizations running affected OvalEdge versions are at risk of data privacy violations.
💻 Affected Systems
- OvalEdge
📦 What is this software?
Ovaledge by Ovaledge
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest all user data for identity theft, credential stuffing attacks, or social engineering campaigns, potentially leading to account compromise and lateral movement within the organization.
Likely Case
Authenticated users (including low-privileged accounts) can enumerate all system users, gather email addresses for phishing, and map organizational structure for targeted attacks.
If Mitigated
With proper access controls and network segmentation, impact is limited to authorized users who already have legitimate access to some user data.
🎯 Exploit Status
Exploitation requires valid authentication but is trivial via simple HTTP GET request. No special tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.2.8.0
Vendor Advisory: https://cve.offsecguy.com/ovaledge/vulnerabilities/sensitive-data-exposure#cve-2022-30359
Restart Required: Yes
Instructions:
1. Upgrade OvalEdge to version newer than 5.2.8.0. 2. Restart the OvalEdge service. 3. Verify the endpoint no longer returns sensitive user data.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or restrict access to /user/getUserList endpoint
WAF-specific configuration to block GET /user/getUserList
Network Access Control
allRestrict access to OvalEdge administration interfaces
firewall rules to limit access to trusted IPs only
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized access to user data endpoints
- Segment OvalEdge deployment to limit exposure and implement compensating network controls
🔍 How to Verify
Check if Vulnerable:
Authenticate to OvalEdge and send GET request to /user/getUserList. If it returns detailed user information including emails and personal data, the system is vulnerable.Check Version:
Check OvalEdge version in administration interface or via system documentationVerify Fix Applied:
After patching, the same GET request should return limited or no sensitive user data.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /user/getUserList from single user
- Unusual access patterns to user data endpoints
Network Indicators:
- HTTP GET requests to /user/getUserList with successful authentication
SIEM Query:
source="ovaledge" AND url="/user/getUserList" AND method="GET" AND status=200