CVE-2022-2155 (GCVE-0-2022-2155)

Vulnerability from cvelistv5 – Published: 2023-01-12 14:01 – Updated: 2025-04-07 15:06
VLAI?
Title
A vulnerability exists in the Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role.
Summary
A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining unauthorized access to any Power BI reports installed by the customer.  Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker. Affected versions * Lumada APM on-premises version 6.0.0.0 - 6.4.0.* List of CPEs:  * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*
Severity ?
5.7 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE
  • CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Vendor Product Version
Hitachi Energy Lumada APM Affected: 6.0.0.*
Affected: 6.1.0.*
Affected: 6.2.0.*
Affected: 6.3.0.*
Affected: 6.4.0.0
Unaffected: 6.4.0.1
Unaffected: 6.5.0.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:32:07.969Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-2155",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-07T15:06:22.175649Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-07T15:06:41.003Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Lumada APM",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.0.*"
            },
            {
              "status": "affected",
              "version": "6.1.0.*"
            },
            {
              "status": "affected",
              "version": "6.2.0.*"
            },
            {
              "status": "affected",
              "version": "6.3.0.*"
            },
            {
              "status": "affected",
              "version": "6.4.0.0"
            },
            {
              "status": "unaffected",
              "version": "6.4.0.1"
            },
            {
              "status": "unaffected",
              "version": "6.5.0.0"
            }
          ]
        }
      ],
      "datePublic": "2022-12-23T13:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u0026nbsp;\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\u003cbr\u003e\u003cbr\u003e\n\nAffected versions \u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eLumada APM on-premises version 6.0.0.0 - 6.4.0.*\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003eList of CPEs:\u0026nbsp;\u003cbr\u003e\u003cul\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n  *  Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122 Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-12T14:01:51.857Z",
        "orgId": "e383dce4-0c27-4495-91c4-0db157728d17",
        "shortName": "Hitachi Energy"
      },
      "references": [
        {
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cul\u003e\u003cli\u003eFor Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\u003cbr\u003e\u003c/li\u003e\u003cli\u003eFor Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u0026nbsp;\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "  *  For Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\n\n  *  For Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u00a0\n\n\n\n"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "A vulnerability exists in the Lumada APM\u2019s User Asset Group feature due to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role. ",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.\u0026nbsp;\u003cbr\u003e\u003cul\u003e\u003cli\u003eIn case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\u003c/li\u003e\u003cli\u003eIf Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003eApply general mitigation factors as described in the respective advisory.\u0026nbsp;"
            }
          ],
          "value": "\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.\u00a0\n  *  In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\n  *  If Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.\n\n\n\nApply general mitigation factors as described in the respective advisory.\u00a0"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17",
    "assignerShortName": "Hitachi Energy",
    "cveId": "CVE-2022-2155",
    "datePublished": "2023-01-12T14:01:51.857Z",
    "dateReserved": "2022-06-21T16:47:22.017Z",
    "dateUpdated": "2025-04-07T15:06:41.003Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:hitachienergy:lumada_asset_performance_management:*:*:*:*:on-premises:*:*:*\", \"versionStartIncluding\": \"6.0.0.0\", \"versionEndExcluding\": \"6.4.0.1\", \"matchCriteriaId\": \"C7CCDA82-BE91-49C2-93DD-B21F2653BDDB\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"\\nA vulnerability exists in the affected versions of Lumada APM\\u2019s User Asset Group feature\\ndue to a flaw in access control mechanism implementation on the \\u201cLimited Engineer\\u201d role, granting it access to the embedded Power BI reports\\nfeature. An attacker that manages to exploit the vulnerability on a customer\\u2019s Lumada APM could access unauthorized information by gaining\\nunauthorized access to any Power BI reports installed by the customer.\\u00a0\\n\\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\\n\\n\\n\\nAffected versions \\n  *  Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\\n\\n\\n\\nList of CPEs:\\u00a0\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\\n\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad en las versiones afectadas de la funci\\u00f3n User Asset Group de Lumada APM debido a un fallo en la implementaci\\u00f3n del mecanismo de control de acceso en el \\u201cLimited Engineer\\u201d rol, otorg\\u00e1ndole acceso a la caracter\\u00edstica de informes integrados de Power BI. Un atacante que logre explotar la vulnerabilidad en Lumada APM de un cliente podr\\u00eda acceder a informaci\\u00f3n no autorizada obteniendo acceso no autorizado a cualquier informe de Power BI instalado por el cliente. Adem\\u00e1s, la vulnerabilidad permite a un atacante manipular comentarios sobre problemas de activos, que no deber\\u00edan estar disponibles para el atacante. Versiones afectadas: \\n* Lumada APM versi\\u00f3n local 6.0.0.0 - 6.4.0.* Lista de CPE: * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:* :*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:* :*:*:*:*:*:*\"}]",
      "id": "CVE-2022-2155",
      "lastModified": "2024-11-21T07:00:26.363",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cybersecurity@hitachienergy.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 5.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.2}]}",
      "published": "2023-01-12T15:15:09.797",
      "references": "[{\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\", \"source\": \"cybersecurity@hitachienergy.com\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "cybersecurity@hitachienergy.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cybersecurity@hitachienergy.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-2155\",\"sourceIdentifier\":\"cybersecurity@hitachienergy.com\",\"published\":\"2023-01-12T15:15:09.797\",\"lastModified\":\"2024-11-21T07:00:26.363\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\\nunauthorized access to any Power BI reports installed by the customer.\u00a0\\n\\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\\n\\n\\n\\nAffected versions \\n  *  Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\\n\\n\\n\\nList of CPEs:\u00a0\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad en las versiones afectadas de la funci\u00f3n User Asset Group de Lumada APM debido a un fallo en la implementaci\u00f3n del mecanismo de control de acceso en el \u201cLimited Engineer\u201d rol, otorg\u00e1ndole acceso a la caracter\u00edstica de informes integrados de Power BI. Un atacante que logre explotar la vulnerabilidad en Lumada APM de un cliente podr\u00eda acceder a informaci\u00f3n no autorizada obteniendo acceso no autorizado a cualquier informe de Power BI instalado por el cliente. Adem\u00e1s, la vulnerabilidad permite a un atacante manipular comentarios sobre problemas de activos, que no deber\u00edan estar disponibles para el atacante. Versiones afectadas: \\n* Lumada APM versi\u00f3n local 6.0.0.0 - 6.4.0.* Lista de CPE: * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:* :*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:* :*:*:*:*:*:*\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cybersecurity@hitachienergy.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"cybersecurity@hitachienergy.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:lumada_asset_performance_management:*:*:*:*:on-premises:*:*:*\",\"versionStartIncluding\":\"6.0.0.0\",\"versionEndExcluding\":\"6.4.0.1\",\"matchCriteriaId\":\"C7CCDA82-BE91-49C2-93DD-B21F2653BDDB\"}]}]}],\"references\":[{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"cybersecurity@hitachienergy.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T00:32:07.969Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-2155\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-07T15:06:22.175649Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-07T15:06:29.231Z\"}}], \"cna\": {\"title\": \"A vulnerability exists in the Lumada APM\\u2019s User Asset Group feature due to a flaw in access control mechanism implementation on the \\u201cLimited Engineer\\u201d role. \", \"source\": {\"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-122\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-122 Privilege Abuse\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Hitachi Energy\", \"product\": \"Lumada APM\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0.0.*\"}, {\"status\": \"affected\", \"version\": \"6.1.0.*\"}, {\"status\": \"affected\", \"version\": \"6.2.0.*\"}, {\"status\": \"affected\", \"version\": \"6.3.0.*\"}, {\"status\": \"affected\", \"version\": \"6.4.0.0\"}, {\"status\": \"unaffected\", \"version\": \"6.4.0.1\"}, {\"status\": \"unaffected\", \"version\": \"6.5.0.0\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"  *  For Lumada APM version 6.4.0.* \\u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\\n\\n  *  For Lumada APM versions prior to 6.4.0.0 \\u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\\u00a0\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cul\u003e\u003cli\u003eFor Lumada APM version 6.4.0.* \\u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\u003cbr\u003e\u003c/li\u003e\u003cli\u003eFor Lumada APM versions prior to 6.4.0.0 \\u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u0026nbsp;\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"datePublic\": \"2022-12-23T13:30:00.000Z\", \"references\": [{\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"\\nOut-of-the-box, Lumada APM \\u2013 On Premise does not support the Power BI integration feature. Nonetheless,\\none can connect a subscription-based Power BI to Lumada APM.\\u00a0\\n  *  In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \\u201cLimited Engineer\\u201d role, or to remove any users with \\u201cLimited Engineer\\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\\n  *  If Power BI integration is disabled, it is safe to continue to assign the \\u201cLimited Engineer\\u201d role to users.\\n\\n\\n\\nApply general mitigation factors as described in the respective advisory.\\u00a0\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\nOut-of-the-box, Lumada APM \\u2013 On Premise does not support the Power BI integration feature. Nonetheless,\\none can connect a subscription-based Power BI to Lumada APM.\u0026nbsp;\u003cbr\u003e\u003cul\u003e\u003cli\u003eIn case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \\u201cLimited Engineer\\u201d role, or to remove any users with \\u201cLimited Engineer\\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\u003c/li\u003e\u003cli\u003eIf Power BI integration is disabled, it is safe to continue to assign the \\u201cLimited Engineer\\u201d role to users.\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003eApply general mitigation factors as described in the respective advisory.\u0026nbsp;\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"\\nA vulnerability exists in the affected versions of Lumada APM\\u2019s User Asset Group feature\\ndue to a flaw in access control mechanism implementation on the \\u201cLimited Engineer\\u201d role, granting it access to the embedded Power BI reports\\nfeature. An attacker that manages to exploit the vulnerability on a customer\\u2019s Lumada APM could access unauthorized information by gaining\\nunauthorized access to any Power BI reports installed by the customer.\\u00a0\\n\\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\\n\\n\\n\\nAffected versions \\n  *  Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\\n\\n\\n\\nList of CPEs:\\u00a0\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\nA vulnerability exists in the affected versions of Lumada APM\\u2019s User Asset Group feature\\ndue to a flaw in access control mechanism implementation on the \\u201cLimited Engineer\\u201d role, granting it access to the embedded Power BI reports\\nfeature. An attacker that manages to exploit the vulnerability on a customer\\u2019s Lumada APM could access unauthorized information by gaining\\nunauthorized access to any Power BI reports installed by the customer.\u0026nbsp;\\n\\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\u003cbr\u003e\u003cbr\u003e\\n\\nAffected versions \u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003eLumada APM on-premises version 6.0.0.0 - 6.4.0.*\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003eList of CPEs:\u0026nbsp;\u003cbr\u003e\u003cul\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"e383dce4-0c27-4495-91c4-0db157728d17\", \"shortName\": \"Hitachi Energy\", \"dateUpdated\": \"2023-01-12T14:01:51.857Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-2155\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-07T15:06:41.003Z\", \"dateReserved\": \"2022-06-21T16:47:22.017Z\", \"assignerOrgId\": \"e383dce4-0c27-4495-91c4-0db157728d17\", \"datePublished\": \"2023-01-12T14:01:51.857Z\", \"assignerShortName\": \"Hitachi Energy\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.