CVE-2022-3348 MEDIUM

CVE-2022-3348: Exposure of Sensitive Information to an Unauthorized Actor in tooljet/tooljet

Vendor Tooljet

Product tooljet/tooljet

Weakness CWE-200 · Info exposure

Published September 28, 2022

Last update May 21, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Just like in the previous report, an attacker could steal the account of different users. But in this case, it's a little bit more specific, because it is needed to be an editor in the same app as the victim.

Key dates

02Disclosure timeline

September 28, 2022 CVE published

May 21, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-3348 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

04Related CVE

CVE-2023-1858 SourceCodester Earnings and Expense Tracker App index.php information disclosure CVE-2022-39914 CVE-2023-5166 Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL CVE-2026-42333 quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations CVE-2019-11294 CAPI leaks service broker URLs and GUIDs to space developers