Skip to main content

CVE-2022-40713: n/a in n/a

Medium
VulnerabilityCVE-2022-40713cvecve-2022-40713
Published: Mon Sep 19 2022 (09/19/2022, 15:52:28 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

An issue was discovered in NOKIA 1350OMS R14.2. Multiple Relative Path Traversal issues exist in different specific endpoints via the file parameter, allowing a remote authenticated attacker to read files on the filesystem arbitrarily.

AI-Powered Analysis

AILast updated: 07/04/2025, 12:42:27 UTC

Technical Analysis

CVE-2022-40713 is a medium-severity vulnerability identified in the NOKIA 1350OMS R14.2 system. The vulnerability arises from multiple relative path traversal issues present in various specific endpoints of the system. These issues are exploitable via the 'file' parameter, which allows a remote attacker with authenticated access to manipulate the file path input. By exploiting this flaw, the attacker can traverse directories on the filesystem arbitrarily and read sensitive files outside the intended directory scope. This type of vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and necessitates that the attacker has privileges to authenticate (PR:L) but does not require any user interaction (UI:N). The vulnerability impacts confidentiality significantly (C:H), but does not affect integrity or availability (I:N/A:N). No known public exploits have been reported in the wild, and no patches or vendor advisories are currently linked. The lack of detailed product versioning information limits precise scope assessment, but the affected product is a Nokia Operations and Maintenance System (1350OMS), which is typically used in telecommunications network management environments.

Potential Impact

For European organizations, particularly telecommunications providers and network operators using Nokia 1350OMS R14.2, this vulnerability poses a significant risk to confidentiality. An authenticated attacker could leverage this flaw to access sensitive configuration files, credentials, or other critical data stored on the system, potentially leading to further compromise or information leakage. Given the role of 1350OMS in managing network operations, unauthorized disclosure of operational data could disrupt service management, expose network topology, or facilitate subsequent attacks. The requirement for authentication reduces the risk from external attackers but does not eliminate insider threats or risks from compromised credentials. The absence of integrity or availability impact means the system's operation is not directly disrupted by this vulnerability, but the confidentiality breach could have cascading effects on trust and security posture. European telecom operators are subject to strict data protection regulations (e.g., GDPR), so unauthorized data exposure could also lead to regulatory penalties and reputational damage.

Mitigation Recommendations

To mitigate CVE-2022-40713, European organizations should first verify if they are running Nokia 1350OMS R14.2 or related versions and restrict access to the management interfaces to trusted personnel only. Implement strict access controls and multi-factor authentication to reduce the risk of credential compromise. Conduct thorough audits of user accounts and permissions to limit authenticated access to only necessary users. Network segmentation should be employed to isolate management systems from general network traffic. Since no official patches are currently available, organizations should consider deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block path traversal attempts targeting the 'file' parameter. Monitoring and logging access to the affected endpoints should be enhanced to detect anomalous file access patterns. Additionally, organizations should engage with Nokia support channels to obtain updates or patches and apply them promptly once available. Regular security assessments and penetration testing focusing on path traversal vulnerabilities can help identify residual risks.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-09-14T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683f3ee7182aa0cae28796d2

Added to database: 6/3/2025, 6:28:55 PM

Last enriched: 7/4/2025, 12:42:27 PM

Last updated: 8/18/2025, 1:58:39 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats