CVE-2022-45164 is a medium-severity vulnerability identified in Archibus Web Central version 2022.03.01.107. Archibus Web Central is a widely used integrated workplace management system (IWMS) that facilitates space management, real estate, and facilities management. The vulnerability arises from improper access control in a service exposed by the application, which allows a basic user to cancel or delete a booking created by another user, even if the basic user is not a member of that booking. This indicates a failure in enforcing authorization checks, specifically a lack of proper permission validation (CWE-284: Improper Access Control). The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The attacker must have basic user privileges (PR:L), but no elevated privileges are necessary. The impact is limited to availability aspects of the booking data, as confidentiality and integrity are not affected. There is no indication of known exploits in the wild, and no patches or vendor advisories are currently linked to this CVE. The CVSS v3.1 base score is 4.3, reflecting a medium severity level primarily due to the limited scope and impact of the vulnerability.

For European organizations using Archibus Web Central, this vulnerability could disrupt facility and resource management operations by allowing unauthorized users to cancel bookings made by others. This could lead to operational inefficiencies, scheduling conflicts, and potential loss of trust in the booking system. While the confidentiality and integrity of data are not compromised, the availability and reliability of booking services are affected. In critical environments such as hospitals, universities, government buildings, or large corporate campuses, such disruptions could have cascading effects on daily operations and resource allocation. Additionally, repeated exploitation could be used as a denial-of-service vector against booking functionalities, impacting user productivity and organizational workflows.

Organizations should implement strict access control policies within Archibus Web Central, ensuring that booking cancellation permissions are correctly enforced based on user roles and booking ownership. Until an official patch is released, administrators should consider the following practical steps: 1) Restrict basic user permissions to prevent booking cancellations unless explicitly authorized. 2) Monitor booking cancellation logs for unusual activity or cancellations by unauthorized users. 3) Employ network segmentation and application-layer firewalls to limit access to the booking service to trusted users only. 4) Engage with the Archibus vendor or support channels to obtain updates or patches addressing this vulnerability. 5) Conduct internal audits of user roles and permissions regularly to ensure least privilege principles are applied. 6) Consider temporary manual approval workflows for booking cancellations to mitigate unauthorized deletions.