CVE-2022-2569

Summary

The affected device stores sensitive information in cleartext, which may allow an authenticated user to access session data stored in the OAuth database belonging to legitimate users

Affected Software

VendorProductVersion RangeStatus
ARC InformatiquePcVue 12 OAuth web service configurationAll < 12.0.27affected
ARC InformatiquePcVue 15 OAuth web service configurationAllaffected

Weaknesses

  • CWE-312: CWE-312 Cleartext Storage of Sensitive Information

Workarounds

ARC Informatique has identified additional steps users can apply to reduce the risk:

Uninstall the Web Server All users not using the affected component should uninstall the web server. The OAuth web service and its configuration are part of the Web Server for PcVue. If the system does not require Web & Mobile features, then users should not install them. Users should contact ARC Informatique’s PcVue Solutions for assistance with the above steps.

For additional information, visit the public ARC Informatique security alert page. PcVue 15 does not have a fix released yet, but is in the works.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References