cbcvebase.
CVE-2022-22832
published 2022-02-06

CVE-2022-22832: An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/users/ request.

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.06%
96.1th percentile
An issue was discovered in Servisnet Tessa 0.0.2. Authorization data is available via an unauthenticated /data-service/users/ request.

Affected

1 ranges
VendorProductVersion rangeFixed in
servisnettessa

Detection & IOCsextracted from sources · hover to see the quote

url/data-service/users/
path/data-service/users/[userid]
path/api/auth/signin
  • Detect unauthenticated GET requests to /data-service/users/ — no Authorization header required; any such request leaking user data indicates exploitation of CVE-2022-22832.
  • Monitor for GET requests to /js/app.js followed by requests to /data-service/users/<id> — this is the recon pattern used by the exploit to extract usersessionid values.
  • Detect POST requests to the users endpoint containing the hardcoded encrypted password value 'hxZ8I33nmy9PZNhYhms/Dg==' in the JSON body — this is the fixed password used by the exploit to create a rogue sysadmin account.
  • Alert on Authorization header construction pattern: base64-encoded 'username:usersessionid' used as a Basic token to impersonate admin users without knowing their password.
  • Detect POST requests to /api/auth/signin followed immediately by enumeration of /data-service/users/<incrementing numeric IDs> — indicates privilege escalation attempt via session hijacking.
  • Flag responses from /data-service/users/<id> containing the string 'Sistem Admin' — the exploit specifically searches for this role name to identify admin accounts to hijack.
  • Detect new user creation POST requests to the users endpoint where role_id=1 and role_name='Sistem Admin' — this is the payload used to add a rogue sysadmin.
  • ·The exploit requires an active admin session (usersessionid) to be present — if no admin is currently logged in, the privilege escalation step will fail. Detection based on session hijacking may miss attempts made during off-hours.
  • ·The exploit enumerates user IDs numerically starting from 0 up to the attacker's own userid — detection rules should account for sequential GET requests to /data-service/users/<n> from the same source IP.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.