Search criteria
6 vulnerabilities found for equipment_predictive_maintenance by ronds
FKIE_CVE-2022-2893
Vulnerability from fkie_nvd - Published: 2023-01-17 17:15 - Updated: 2024-11-21 07:01
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
RONDS EPM version 1.19.5 does not properly validate the filename
parameter, which could allow an unauthorized user to specify file paths
and download files.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ronds | equipment_predictive_maintenance | 1.19.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ronds:equipment_predictive_maintenance:1.19.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E989C2F6-A2EA-4CD9-B058-07164859F438",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "RONDS EPM version 1.19.5 does not properly validate the filename \nparameter, which could allow an unauthorized user to specify file paths \nand download files. \u00a0\n\n\n\n"
},
{
"lang": "es",
"value": "RONDS EPM versi\u00f3n 1.19.5 no valida correctamente el par\u00e1metro de nombre de archivo, lo que podr\u00eda permitir a un usuario no autorizado especificar rutas de archivo y descargar archivos."
}
],
"id": "CVE-2022-2893",
"lastModified": "2024-11-21T07:01:53.153",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-17T17:15:11.333",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-3091
Vulnerability from fkie_nvd - Published: 2023-01-17 17:15 - Updated: 2024-11-21 07:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
RONDS EPM version 1.19.5 has a vulnerability in which a function could
allow unauthenticated users to leak credentials. In some circumstances,
an attacker can exploit this vulnerability to execute operating system
(OS) commands.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ronds | equipment_predictive_maintenance | 1.19.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ronds:equipment_predictive_maintenance:1.19.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E989C2F6-A2EA-4CD9-B058-07164859F438",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "RONDS EPM version 1.19.5 has a vulnerability in which a function could \nallow unauthenticated users to leak credentials. In some circumstances, \nan attacker can exploit this vulnerability to execute operating system \n(OS) commands. \n\n\n\n"
},
{
"lang": "es",
"value": "RONDS EPM versi\u00f3n 1.19.5 tiene una vulnerabilidad en la que una funci\u00f3n podr\u00eda permitir que usuarios no autenticados filtren credenciales. En algunas circunstancias, un atacante puede aprovechar esta vulnerabilidad para ejecutar comandos del sistema operativo (SO)."
}
],
"id": "CVE-2022-3091",
"lastModified": "2024-11-21T07:18:48.483",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-17T17:15:11.620",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
}
CVE-2022-3091 (GCVE-0-2022-3091)
Vulnerability from cvelistv5 – Published: 2023-01-17 16:21 – Updated: 2025-01-16 22:01
VLAI?
Summary
RONDS EPM version 1.19.5 has a vulnerability in which a function could
allow unauthenticated users to leak credentials. In some circumstances,
an attacker can exploit this vulnerability to execute operating system
(OS) commands.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RONDS | Equipment Predictive Maintenance Solution |
Affected:
1.19.5
|
Credits
TsungShu Chiu of CHT Security reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T20:57:22.457108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T22:01:20.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Equipment Predictive Maintenance Solution",
"vendor": "RONDS",
"versions": [
{
"status": "affected",
"version": "1.19.5 "
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "TsungShu Chiu of CHT Security reported these vulnerabilities to CISA. "
}
],
"datePublic": "2023-01-12T16:21:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nRONDS EPM version 1.19.5 has a vulnerability in which a function could \nallow unauthenticated users to leak credentials. In some circumstances, \nan attacker can exploit this vulnerability to execute operating system \n(OS) commands. \n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "RONDS EPM version 1.19.5 has a vulnerability in which a function could \nallow unauthenticated users to leak credentials. In some circumstances, \nan attacker can exploit this vulnerability to execute operating system \n(OS) commands. \n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-17T16:21:57.537Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eRONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.\u003c/p\u003e"
}
],
"value": "\nRONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-3091",
"datePublished": "2023-01-17T16:21:57.537Z",
"dateReserved": "2022-09-01T18:59:32.526Z",
"dateUpdated": "2025-01-16T22:01:20.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2893 (GCVE-0-2022-2893)
Vulnerability from cvelistv5 – Published: 2023-01-17 16:19 – Updated: 2025-01-16 22:01
VLAI?
Summary
RONDS EPM version 1.19.5 does not properly validate the filename
parameter, which could allow an unauthorized user to specify file paths
and download files.
Severity ?
8.2 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RONDS | Equipment Predictive Maintenance Solution |
Affected:
1.19.5
|
Credits
TsungShu Chiu of CHT Security reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:53:00.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T20:57:25.390921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T22:01:26.105Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Equipment Predictive Maintenance Solution",
"vendor": "RONDS",
"versions": [
{
"status": "affected",
"version": "1.19.5 "
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "TsungShu Chiu of CHT Security reported these vulnerabilities to CISA. "
}
],
"datePublic": "2023-01-12T16:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nRONDS EPM version 1.19.5 does not properly validate the filename \nparameter, which could allow an unauthorized user to specify file paths \nand download files. \u0026nbsp;\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "RONDS EPM version 1.19.5 does not properly validate the filename \nparameter, which could allow an unauthorized user to specify file paths \nand download files. \u00a0\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-17T16:19:05.745Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eRONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.\u003c/p\u003e"
}
],
"value": "\nRONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-2893",
"datePublished": "2023-01-17T16:19:05.745Z",
"dateReserved": "2022-08-18T22:34:51.784Z",
"dateUpdated": "2025-01-16T22:01:26.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3091 (GCVE-0-2022-3091)
Vulnerability from nvd – Published: 2023-01-17 16:21 – Updated: 2025-01-16 22:01
VLAI?
Summary
RONDS EPM version 1.19.5 has a vulnerability in which a function could
allow unauthenticated users to leak credentials. In some circumstances,
an attacker can exploit this vulnerability to execute operating system
(OS) commands.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RONDS | Equipment Predictive Maintenance Solution |
Affected:
1.19.5
|
Credits
TsungShu Chiu of CHT Security reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T20:57:22.457108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T22:01:20.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Equipment Predictive Maintenance Solution",
"vendor": "RONDS",
"versions": [
{
"status": "affected",
"version": "1.19.5 "
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "TsungShu Chiu of CHT Security reported these vulnerabilities to CISA. "
}
],
"datePublic": "2023-01-12T16:21:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nRONDS EPM version 1.19.5 has a vulnerability in which a function could \nallow unauthenticated users to leak credentials. In some circumstances, \nan attacker can exploit this vulnerability to execute operating system \n(OS) commands. \n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "RONDS EPM version 1.19.5 has a vulnerability in which a function could \nallow unauthenticated users to leak credentials. In some circumstances, \nan attacker can exploit this vulnerability to execute operating system \n(OS) commands. \n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-17T16:21:57.537Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eRONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.\u003c/p\u003e"
}
],
"value": "\nRONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-3091",
"datePublished": "2023-01-17T16:21:57.537Z",
"dateReserved": "2022-09-01T18:59:32.526Z",
"dateUpdated": "2025-01-16T22:01:20.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2893 (GCVE-0-2022-2893)
Vulnerability from nvd – Published: 2023-01-17 16:19 – Updated: 2025-01-16 22:01
VLAI?
Summary
RONDS EPM version 1.19.5 does not properly validate the filename
parameter, which could allow an unauthorized user to specify file paths
and download files.
Severity ?
8.2 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RONDS | Equipment Predictive Maintenance Solution |
Affected:
1.19.5
|
Credits
TsungShu Chiu of CHT Security reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:53:00.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T20:57:25.390921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T22:01:26.105Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Equipment Predictive Maintenance Solution",
"vendor": "RONDS",
"versions": [
{
"status": "affected",
"version": "1.19.5 "
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "TsungShu Chiu of CHT Security reported these vulnerabilities to CISA. "
}
],
"datePublic": "2023-01-12T16:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nRONDS EPM version 1.19.5 does not properly validate the filename \nparameter, which could allow an unauthorized user to specify file paths \nand download files. \u0026nbsp;\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "RONDS EPM version 1.19.5 does not properly validate the filename \nparameter, which could allow an unauthorized user to specify file paths \nand download files. \u00a0\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-17T16:19:05.745Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eRONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.\u003c/p\u003e"
}
],
"value": "\nRONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-2893",
"datePublished": "2023-01-17T16:19:05.745Z",
"dateReserved": "2022-08-18T22:34:51.784Z",
"dateUpdated": "2025-01-16T22:01:26.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}