CVE-2022-44795 is a medium-severity vulnerability identified in the Object First Ootbi BETA software, specifically in build 1.0.7.712. The flaw resides in the Web Service component responsible for generating URLs to support bundles. The vulnerability stems from the use of an insecure random number generator (RNG) when creating these URLs, which makes the URLs predictable. An attacker with valid credentials can exploit this predictability to access system logs by guessing or reconstructing the URL to the support bundle. This leads to local information disclosure, potentially exposing sensitive system information contained within the logs. The vulnerability does not affect confidentiality, integrity, or availability beyond information disclosure, and no user interaction is required to exploit it. Importantly, this issue is confined to the beta version of the software, which is not intended for production environments. The production-ready version of Object First Ootbi has this vulnerability fixed as of build 1.0.13.1611. The CVSS 3.1 base score is 6.5, reflecting a medium severity with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. There are no known exploits in the wild, and no patch links are provided, likely because the fix is integrated into the production release rather than as a separate patch for the beta version. The underlying weakness is categorized under CWE-330, which relates to the use of insufficiently random values in security-critical contexts.

For European organizations, the direct impact of this vulnerability is limited due to its presence only in a beta version of the Object First Ootbi software, which is not deployed in production environments. However, if organizations are involved in testing or development using the beta version, there is a risk of sensitive system log information being exposed to authenticated attackers. This could lead to leakage of operational details, error messages, or other sensitive diagnostic data that might aid further attacks or reconnaissance. Since exploitation requires valid credentials, the threat is primarily to insiders or attackers who have already compromised user accounts. The confidentiality impact is significant in such scenarios, but there is no direct impact on system integrity or availability. Given that the production version is fixed, the risk to critical infrastructure or business operations in Europe is minimal. Nonetheless, organizations should be cautious about using beta software in environments where sensitive data is processed or stored.

European organizations should avoid deploying the Object First Ootbi beta versions in any environment that contains sensitive or production data. For those involved in testing or development, ensure that access to the beta software is tightly controlled and limited to trusted personnel. Implement strong credential management practices to prevent unauthorized access, including multi-factor authentication (MFA) for all users with access to the system. Monitor access logs for unusual activity around support bundle URLs or system logs. If beta testing is necessary, isolate the environment from production networks and sensitive data stores. Upon upgrading to the production-ready Object First Ootbi version (1.0.13.1611 or later), verify that the fix is applied and validate that URL generation uses a cryptographically secure RNG. Additionally, consider implementing network-level controls to restrict access to support bundle URLs and system logs, such as IP whitelisting or VPN access. Regularly audit and review system logs to detect any unauthorized access attempts. Finally, maintain an up-to-date inventory of software versions in use to ensure no beta versions remain in production inadvertently.