cbcvebase.
CVE-2022-22733
published 2022-01-20

CVE-2022-22733: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do…

PriorityP354medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
20.90%
97.2th percentile
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.

Affected

2 ranges
VendorProductVersion rangeFixed in
apacheshardingsphere_elasticjob-ui
apache_software_foundationapache_shardingsphere_elasticjob-uiApache ShardingSphere ElasticJob-UI 3.x – 3.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/login
othershodan:http.favicon.hash:816588900
otherfofa:icon_hash=816588900
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache ShardingSphere ElasticJob-UI Privilege Escalation Attempt (CVE-2022-22733)"; flow:established,to_server; flowbits:set,ET.CVE-2022-22733.Attempt; http.method; content:"POST"; http.uri; bsize:10; content:"/api/login"; fast_pattern; http.request_body; content:"|22|username|22 3a 22|guest|22 2c|"; content:"|22|password|22 3a 22|guest|22|"; within:20; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-22733.yaml; reference:cve,2022-22733; classtype:attempted-admin; sid:2056773; rev:1;)
snort
alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Apache ShardingSphere ElasticJob-UI Privilege Escalation - Successful Attempt (CVE-2022-22733)"; flow:established,to_client; flowbits:isset,ET.CVE-2022-22733.Attempt; http.stat_code; content:"200"; http.response_body; content:"|22|success|22 3a|true|2c|"; content:"|22|errorCode|22 3a|0|2c|"; within:16; content:"|22|model|22 3a 7b|"; within:11; content:"|22|isGuest|22 3a|true|2c|"; within:20; content:"|22|accessToken|22 3a|"; within:20; content:"|22|eyJyb290VXNlcm5hbWUi"; within:30; fast_pattern; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-22733.yaml; reference:cve,2022-22733; classtype:attempted-admin; sid:2056774; rev:1;)
bytes
|22|eyJyb290VXNlcm5hbWUi
  • Exploit attempt: HTTP POST to /api/login with hardcoded guest credentials in JSON body; URI must be exactly 10 bytes
  • Successful exploitation response contains JSON fields: success:true, errorCode:0, isGuest:true, and an accessToken starting with eyJyb290VXNlcm5hbWUi (base64 JWT prefix)
  • Nuclei template matcher checks HTTP 200 response body for '"success":true', '"isGuest":true', and '"accessToken":' simultaneously
  • Asset discovery: identify exposed ElasticJob-UI instances via Shodan favicon hash 816588900 or FOFA icon_hash=816588900
  • ·Both Snort/ET rules are marked tls_state plaintext — detection will NOT fire on TLS-encrypted traffic; deploy SSL inspection for full coverage
  • ·Vulnerability affects only Apache ShardingSphere ElasticJob-UI 3.x up to and including version 3.0.0

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.