CVE-2022-22526 Gavazzi UWP3.0 and CPY Car Park Server 2.8.3 have missing authentication, which allows for full access via API.

To avoid this, you have to force authentication by adding a domain name and password to your API requests. For example: /v2/cars/{id}/drive/{destination}/{start_position}/{end_position}/{duration}. This forces a secure connection via the domain name and password. Unfortunately, this also stops you from using the API if you don’t want to send the domain name and password. You can solve this by creating a client application that allows you to send the domain name and password without the client application knowing. This is done by adding an OAuth application via the settings page. If the domain name and password are received from the domain name and password of your API, the domain name and password will be validated.

Disable OAuth Authentication

By modifying the settings of your API, you can disable OAuth authentication. This will force all requests to be secure by providing a domain name and password in the headers of the request.

Timeline

Published on: 09/28/2022 14:15:00 UTC
Last modified on: 09/28/2022 14:50:00 UTC

References

• https://cert.vde.com/en/advisories/VDE-2022-029/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22526