.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Medium
Sophos Connect v2.2 MR1 Resolves Security Vulnerabilities
CVE(N)
CVE-2022-48309
CVE-2022-48310
CVE-2022-4901
产品(N)
Sophos Connect Client 2.0
更新日
2023 Mar 1
文章版本
1
公開日
2023 Mar 1
公開 ID
sophos-sa-20230301-scc-csrf
回避策
No
Overview
The Sophos Connect client v2.2 MR1 (2.2.90) release fixes the following security issues (users of older versions are required to upgrade.)
CVE ID | Description | Severity |
|---|---|---|
CVE-2022-48309 | A CSRF vulnerability allowing malicious websites to retrieve logs and technical support archives was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. Sophos would like to thank Mario Melcher - Information Security Professional at SEITENBAU GmbH - for responsibly disclosing this issue to Sophos. | MEDIUM |
CVE-2022-48310 | An information disclosure vulnerability allowing sensitive key material to be included in technical support archives was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. Sophos would like to thank Mario Melcher - Information Security Professional at SEITENBAU GmbH - for responsibly disclosing this issue to Sophos. | MEDIUM |
CVE-2022-4901 | Multiple stored XSS vulnerabilities allowing execution of Javascript code in the local UI were discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. The victim must be tricked into manually loading a malicious VPN configuration file for the attack to succeed. | LOW |
Notes
Action required: Sophos strongly advises upgrading immediately as the CSRF and information disclosure vulnerabilities (CVE-2022-48309 and CVE-2022-48310) compound each other
Sophos always recommends that Sophos Connect users upgrade to the latest release at their earliest opportunity
Related information
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48309
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48310
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4901
https://support.sophos.com/support/s/article/KB-000040793?language=en_US
https://www.sophos.com/en-us/support/downloads/utm-downloads
https://community.sophos.com/intercept-x-endpoint/i/device/scan-for-old-sophos-connect-client
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.