Search criteria
3 vulnerabilities found for lumada_asset_performance_management by hitachienergy
FKIE_CVE-2022-2155
Vulnerability from fkie_nvd - Published: 2023-01-12 15:15 - Updated: 2024-11-21 07:00
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Summary
A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature
due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports
feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining
unauthorized access to any Power BI reports installed by the customer.
Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.
Affected versions
* Lumada APM on-premises version 6.0.0.0 - 6.4.0.*
List of CPEs:
* cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hitachienergy | lumada_asset_performance_management | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hitachienergy:lumada_asset_performance_management:*:*:*:*:on-premises:*:*:*",
"matchCriteriaId": "C7CCDA82-BE91-49C2-93DD-B21F2653BDDB",
"versionEndExcluding": "6.4.0.1",
"versionStartIncluding": "6.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n * Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en las versiones afectadas de la funci\u00f3n User Asset Group de Lumada APM debido a un fallo en la implementaci\u00f3n del mecanismo de control de acceso en el \u201cLimited Engineer\u201d rol, otorg\u00e1ndole acceso a la caracter\u00edstica de informes integrados de Power BI. Un atacante que logre explotar la vulnerabilidad en Lumada APM de un cliente podr\u00eda acceder a informaci\u00f3n no autorizada obteniendo acceso no autorizado a cualquier informe de Power BI instalado por el cliente. Adem\u00e1s, la vulnerabilidad permite a un atacante manipular comentarios sobre problemas de activos, que no deber\u00edan estar disponibles para el atacante. Versiones afectadas: \n* Lumada APM versi\u00f3n local 6.0.0.0 - 6.4.0.* Lista de CPE: * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:* :*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:* :*:*:*:*:*:*"
}
],
"id": "CVE-2022-2155",
"lastModified": "2024-11-21T07:00:26.363",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "cybersecurity@hitachienergy.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-12T15:15:09.797",
"references": [
{
"source": "cybersecurity@hitachienergy.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@hitachienergy.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "cybersecurity@hitachienergy.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-2155 (GCVE-0-2022-2155)
Vulnerability from cvelistv5 – Published: 2023-01-12 14:01 – Updated: 2025-04-07 15:06
VLAI?
Title
A vulnerability exists in the Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role.
Summary
A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature
due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports
feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining
unauthorized access to any Power BI reports installed by the customer.
Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.
Affected versions
* Lumada APM on-premises version 6.0.0.0 - 6.4.0.*
List of CPEs:
* cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*
Severity ?
5.7 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Energy | Lumada APM |
Affected:
6.0.0.*
Affected: 6.1.0.* Affected: 6.2.0.* Affected: 6.3.0.* Affected: 6.4.0.0 Unaffected: 6.4.0.1 Unaffected: 6.5.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:07.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T15:06:22.175649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T15:06:41.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lumada APM",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "6.0.0.*"
},
{
"status": "affected",
"version": "6.1.0.*"
},
{
"status": "affected",
"version": "6.2.0.*"
},
{
"status": "affected",
"version": "6.3.0.*"
},
{
"status": "affected",
"version": "6.4.0.0"
},
{
"status": "unaffected",
"version": "6.4.0.1"
},
{
"status": "unaffected",
"version": "6.5.0.0"
}
]
}
],
"datePublic": "2022-12-23T13:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u0026nbsp;\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\u003cbr\u003e\u003cbr\u003e\n\nAffected versions \u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eLumada APM on-premises version 6.0.0.0 - 6.4.0.*\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003eList of CPEs:\u0026nbsp;\u003cbr\u003e\u003cul\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n * Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-12T14:01:51.857Z",
"orgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"shortName": "Hitachi Energy"
},
"references": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eFor Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\u003cbr\u003e\u003c/li\u003e\u003cli\u003eFor Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u0026nbsp;\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": " * For Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\n\n * For Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u00a0\n\n\n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "A vulnerability exists in the Lumada APM\u2019s User Asset Group feature due to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role. ",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.\u0026nbsp;\u003cbr\u003e\u003cul\u003e\u003cli\u003eIn case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\u003c/li\u003e\u003cli\u003eIf Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003eApply general mitigation factors as described in the respective advisory.\u0026nbsp;"
}
],
"value": "\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.\u00a0\n * In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\n * If Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.\n\n\n\nApply general mitigation factors as described in the respective advisory.\u00a0"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"assignerShortName": "Hitachi Energy",
"cveId": "CVE-2022-2155",
"datePublished": "2023-01-12T14:01:51.857Z",
"dateReserved": "2022-06-21T16:47:22.017Z",
"dateUpdated": "2025-04-07T15:06:41.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2155 (GCVE-0-2022-2155)
Vulnerability from nvd – Published: 2023-01-12 14:01 – Updated: 2025-04-07 15:06
VLAI?
Title
A vulnerability exists in the Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role.
Summary
A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature
due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports
feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining
unauthorized access to any Power BI reports installed by the customer.
Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.
Affected versions
* Lumada APM on-premises version 6.0.0.0 - 6.4.0.*
List of CPEs:
* cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*
Severity ?
5.7 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Energy | Lumada APM |
Affected:
6.0.0.*
Affected: 6.1.0.* Affected: 6.2.0.* Affected: 6.3.0.* Affected: 6.4.0.0 Unaffected: 6.4.0.1 Unaffected: 6.5.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:07.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T15:06:22.175649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T15:06:41.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lumada APM",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "6.0.0.*"
},
{
"status": "affected",
"version": "6.1.0.*"
},
{
"status": "affected",
"version": "6.2.0.*"
},
{
"status": "affected",
"version": "6.3.0.*"
},
{
"status": "affected",
"version": "6.4.0.0"
},
{
"status": "unaffected",
"version": "6.4.0.1"
},
{
"status": "unaffected",
"version": "6.5.0.0"
}
]
}
],
"datePublic": "2022-12-23T13:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u0026nbsp;\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\u003cbr\u003e\u003cbr\u003e\n\nAffected versions \u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eLumada APM on-premises version 6.0.0.0 - 6.4.0.*\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003eList of CPEs:\u0026nbsp;\u003cbr\u003e\u003cul\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n * Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-12T14:01:51.857Z",
"orgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"shortName": "Hitachi Energy"
},
"references": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eFor Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\u003cbr\u003e\u003c/li\u003e\u003cli\u003eFor Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u0026nbsp;\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": " * For Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\n\n * For Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u00a0\n\n\n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "A vulnerability exists in the Lumada APM\u2019s User Asset Group feature due to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role. ",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.\u0026nbsp;\u003cbr\u003e\u003cul\u003e\u003cli\u003eIn case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\u003c/li\u003e\u003cli\u003eIf Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003eApply general mitigation factors as described in the respective advisory.\u0026nbsp;"
}
],
"value": "\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.\u00a0\n * In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\n * If Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.\n\n\n\nApply general mitigation factors as described in the respective advisory.\u00a0"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"assignerShortName": "Hitachi Energy",
"cveId": "CVE-2022-2155",
"datePublished": "2023-01-12T14:01:51.857Z",
"dateReserved": "2022-06-21T16:47:22.017Z",
"dateUpdated": "2025-04-07T15:06:41.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}