CVE-2022-29848: 
WhatsUp Gold vulnerability analysis and mitigation

CVE-2022-29848 affects Ipswitch WhatsUp Gold versions 17.0.0 through 21.1.1, and 22.0.0. The vulnerability allows an authenticated user to invoke an API transaction that enables reading sensitive operating-system attributes from a host accessible by the WhatsUp Gold system (NVD, Assetnote Advisory).

The vulnerability is classified as an Authenticated Server-Side Request Forgery (SSRF) with a CVSS v3.1 Base Score of 6.5 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue is related to CWE-918 (Server-Side Request Forgery) (NVD).

When combined with other vulnerabilities (CVE-2022-29845, CVE-2022-29846, CVE-2022-29847), this vulnerability can lead to critical impact. An attacker can potentially obtain plain-text passwords of all users registered in WhatsUp Gold and perform further attacks including local file disclosure and authenticated SSRF (Assetnote Research).

Progress has released patches to address this vulnerability. Users are advised to update to the latest version of WhatsUp Gold. The vendor has provided detailed remediation information in their knowledge base article (Progress Advisory).