{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-29T21:41:43.272","vulnerabilities":[{"cve":{"id":"CVE-2022-29229","sourceIdentifier":"security-advisories@github.com","published":"2022-05-18T21:15:07.757","lastModified":"2024-11-21T06:58:45.970","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account’s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator."},{"lang":"es","value":"CaSS es un sistema de competencias y habilidades. La biblioteca CaSS, (npm:cassproject) presenta un paso criptográfico faltante cuando almacena claves criptográficas que puede permitir a un administrador del servidor acceder a las claves criptográficas de una cuenta. Esto afecta a servidores CaSS que usan la autenticación autónoma de nombre de usuario/contraseña, que usa un método que espera la seguridad criptográfica e2e de las credenciales de autorización. El problema ha sido parcheado en versión 1.5.8. Sin embargo, las cuentas vulnerables sólo vuelven a asegurarse cuando el usuario vuelve a iniciar sesión usando la autenticación autónoma, ya que los datos necesarios para volver a asegurar la cuenta no están disponibles para el servidor. El problema puede mitigarse al usar SSO o certificados del lado del cliente para iniciar la sesión. Tenga en cuenta que la autenticación SSO y de certificados del lado del cliente no presenta esta expectativa de acceso a credenciales sin conocimiento, y las claves criptográficas están disponibles para el administrador del servidor"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-325"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:cassproject:competency_and_skills_system:*:*:*:*:*:docker:*:*","versionEndExcluding":"1.5.8","matchCriteriaId":"D2D76674-26A6-45E3-8772-CD7DEAEE844E"},{"vulnerable":true,"criteria":"cpe:2.3:a:cassproject:competency_and_skills_system:*:*:*:*:*:node.js:*:*","versionEndExcluding":"1.5.8","matchCriteriaId":"BE259B95-B6F7-456F-9445-88AD9ECD62E3"}]}]}],"references":[{"url":"https://github.com/cassproject/CASS/releases/tag/1.5.8","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/cassproject/CASS/releases/tag/1.5.8","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/cassproject/CASS/security/advisories/GHSA-7qcx-4p32-qcmx","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}