CVE-2022-37774 is a medium-severity broken access control vulnerability affecting Maarch RM version 2.8.3, an open-source document and records management solution. The vulnerability arises from the way the application generates preview URLs for certain archived documents such as PDFs and emails. When a user requests a preview, the application creates a URL containing an MD5 hash of the document file, for example, https://{url}/tmp/{MD5 hash of the document}. Critically, this URL is accessible without any authentication or authorization checks, meaning that anyone who knows or can guess the MD5 hash can access the document preview directly. Since MD5 hashes are deterministic and can be computed if the document content is known or partially known, this creates a risk of unauthorized disclosure of sensitive documents stored in the archive. The vulnerability does not require user interaction or privileges to exploit, and it affects confidentiality but not integrity or availability. The CVSS 3.1 base score is 5.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on confidentiality only. No known exploits have been reported in the wild, and no patches or vendor advisories are currently available. The underlying weakness corresponds to CWE-287 (Improper Authentication), indicating that the application fails to properly enforce access controls on document preview URLs. This vulnerability could be leveraged by attackers to harvest sensitive information from document archives if they can enumerate or guess MD5 hashes, especially in environments where sensitive or confidential documents are stored and accessed via Maarch RM 2.8.3.

For European organizations using Maarch RM 2.8.3, this vulnerability poses a significant risk to the confidentiality of archived documents. Sensitive information such as personal data, internal communications, or proprietary documents could be exposed without authentication, violating data protection regulations like GDPR. The impact is particularly critical for sectors handling highly confidential or regulated data, including government agencies, healthcare providers, legal firms, and financial institutions. Unauthorized access to document previews could lead to data breaches, reputational damage, regulatory fines, and loss of trust. Since the vulnerability does not affect integrity or availability, the primary concern is information leakage. The ease of exploitation—no authentication or user interaction required—means that attackers or unauthorized insiders could potentially access sensitive documents remotely if they can discover or guess the MD5 hashes. This risk is amplified in environments where document contents or naming conventions are predictable, facilitating hash computation or brute forcing. Although no active exploitation is currently known, the presence of this vulnerability in a document management system used in Europe necessitates prompt attention to prevent potential data leaks.

European organizations should implement the following specific mitigation measures: 1) Restrict access to the /tmp/ directory or the URL pattern serving document previews via web server configuration or network controls, limiting access to authenticated users or trusted IP ranges. 2) Implement additional authentication and authorization checks at the application level for document preview URLs to ensure only authorized users can access previews. 3) Replace the use of MD5 hashes in URLs with cryptographically stronger, unpredictable tokens or session-based access controls to prevent URL guessing or enumeration. 4) Monitor web server logs for unusual access patterns to /tmp/ URLs that may indicate scanning or brute forcing attempts. 5) If possible, upgrade to a newer version of Maarch RM where this vulnerability is fixed or apply custom patches to enforce proper access control. 6) Conduct an audit of archived documents accessible via preview URLs to identify and mitigate exposure of sensitive data. 7) Educate users and administrators about the risk of sharing preview URLs publicly or with unauthorized parties. 8) Employ web application firewalls (WAFs) to detect and block suspicious requests targeting document preview endpoints. These measures go beyond generic advice by focusing on access control enforcement, URL tokenization, and monitoring specific to the vulnerability's exploitation vector.