cvelistv5 - CVE-2022-31486

CVE-2022-31486 (GCVE-0-2022-31486)

Vulnerability from cvelistv5 – Published: 2022-06-06 16:41 – Updated: 2024-09-16 18:03

Summary

An authenticated attacker can send a specially crafted route to the “edit_route.cgi” binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - OS Command Injection

Assigner

Carrier

References

URL

Tags

https://www.corporate.carrier.com/product-securit…

x_refsource_MISC

Impacted products

Vendor

Product

Version

LenelS2

LNL-X2210

Affected: ALL , < 1.303 (custom)

LenelS2	LNL-X2220	Affected: ALL , < 1.303 (custom)
LenelS2	LNL-X3300	Affected: ALL , < 1.303 (custom)
LenelS2	LNL-X4420	Affected: ALL , < 1.303 (custom)
LenelS2	LNL-4420	Affected: ALL , < 1.297 (custom)
LenelS2	S2-LP-1501	Affected: ALL , < 1.303 (custom)
LenelS2	S2-LP-1502	Affected: ALL , < 1.303 (custom)
LenelS2	S2-LP-2500	Affected: ALL , < 1.303 (custom)
LenelS2	S2-LP-4502	Affected: ALL , < 1.303 (custom)
HID Mercury	LP1501	Affected: ALL , < 1.303 (custom)
HID Mercury	LP1502	Affected: ALL , < 1.303 (custom)
HID Mercury	LP2500	Affected: ALL , < 1.303 (custom)
HID Mercury	LP4502	Affected: ALL , < 1.303 (custom)
HID Mercury	EP4502	Affected: ALL , < 1.297 (custom)

Credits

Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:19:06.079Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LNL-X2210",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-X2220",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-X3300",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-X4420",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LNL-4420",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.297",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-1501",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-1502",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-2500",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "S2-LP-4502",
          "vendor": "LenelS2",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP1501",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP1502",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP2500",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "LP4502",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.303",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "EP4502",
          "vendor": "HID Mercury",
          "versions": [
            {
              "lessThan": "1.297",
              "status": "affected",
              "version": "ALL",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs"
        }
      ],
      "datePublic": "2022-06-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated attacker can send a specially crafted route to the \u201cedit_route.cgi\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-06T16:41:46",
        "orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
        "shortName": "Carrier"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to the latest version of firmware"
        }
      ],
      "source": {
        "advisory": "CARR-PSA-006-0522",
        "discovery": "EXTERNAL"
      },
      "title": "Command injection via Advanced Networking route add functionality",
      "workarounds": [
        {
          "lang": "en",
          "value": "Disable the controller\u0027s Web Server.  \nWhen the controller is configured to disable web access, you cannot remotely login into the controller\u2019s web page.\n1. Login to controller web pages\n2. Go to \u201cUsers\u201d Tab\n3. Near bottom of the Users page, check option to \u201cDisable Web Server\u201d\n4. Then select \u201cSubmit\u201d at the bottom of the page\n5. Then select \u201cApply Settings\u201d tab\n6. And on that page, select button \u201cApply Settings, Reboot\u201d\nThe Controller will apply the new setting and reboot. Web login will be disabled until switch 1 is physically turned ON, on the controller."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productsecurity@carrier.com",
          "DATE_PUBLIC": "2022-06-02T22:00:00.000Z",
          "ID": "CVE-2022-31486",
          "STATE": "PUBLIC",
          "TITLE": "Command injection via Advanced Networking route add functionality"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LNL-X2210",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-X2220",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-X3300",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-X4420",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LNL-4420",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.297"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-1501",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-1502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-2500",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "S2-LP-4502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "LenelS2"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LP1501",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LP1502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LP2500",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "LP4502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.303"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "EP4502",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "ALL",
                            "version_value": "1.297"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HID Mercury"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An authenticated attacker can send a specially crafted route to the \u201cedit_route.cgi\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.corporate.carrier.com/product-security/advisories-resources/",
              "refsource": "MISC",
              "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to the latest version of firmware"
          }
        ],
        "source": {
          "advisory": "CARR-PSA-006-0522",
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Disable the controller\u0027s Web Server.  \nWhen the controller is configured to disable web access, you cannot remotely login into the controller\u2019s web page.\n1. Login to controller web pages\n2. Go to \u201cUsers\u201d Tab\n3. Near bottom of the Users page, check option to \u201cDisable Web Server\u201d\n4. Then select \u201cSubmit\u201d at the bottom of the page\n5. Then select \u201cApply Settings\u201d tab\n6. And on that page, select button \u201cApply Settings, Reboot\u201d\nThe Controller will apply the new setting and reboot. Web login will be disabled until switch 1 is physically turned ON, on the controller."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
    "assignerShortName": "Carrier",
    "cveId": "CVE-2022-31486",
    "datePublished": "2022-06-06T16:41:46.407824Z",
    "dateReserved": "2022-05-23T00:00:00",
    "dateUpdated": "2024-09-16T18:03:16.897Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:hidglobal:lp1501_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"B8EB5D8F-0EAF-4960-9C1F-4E43614AEF1E\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:hidglobal:lp1501:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B9DC3EC5-C67D-4FE5-8B53-04AB785588FE\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:hidglobal:lp1502_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"B2753AA2-75FC-40F7-A8EC-D76CB3BAEC9C\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:hidglobal:lp1502:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"902FDABA-C5D0-4CAE-BBDF-E4338D3A4DAF\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:hidglobal:lp2500_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"CB0D54B1-6140-4BD5-A49D-B5983A2CCB84\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:hidglobal:lp2500:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AAC2A69E-BF7D-448B-8347-19CFFABED15A\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:hidglobal:lp4502_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"7F351A13-995A-43C0-A87D-B534DCD8512E\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:hidglobal:lp4502:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"22147A65-6ADE-46F3-AFF8-E46CE81D6E8B\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:hidglobal:ep4502_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.297\", \"matchCriteriaId\": \"6F16DD76-4C6B-4ACE-BFAB-C6FCA6355BB5\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:hidglobal:ep4502:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9A28A38-C57D-4FC6-8CAA-0011AF06D290\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carrier:lenels2_lnl-4420_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.297\", \"matchCriteriaId\": \"3862AEE4-5B50-434E-B293-3322F6AAE5FE\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:carrier:lenels2_lnl-4420:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"36855319-E36B-47C3-B27E-E1509D1C9D4D\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carrier:lenels2_lnl-x2210_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"2424FA8C-D7D5-40BD-8510-9F1A20C4ADD4\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:carrier:lenels2_lnl-x2210:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3B091C8F-2C3A-47C9-92AC-550D977F781A\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carrier:lenels2_lnl-x2220_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"854B319F-2138-4F18-96CA-73B13927A4D8\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:carrier:lenels2_lnl-x2220:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"15FD8460-39D0-46C4-9F04-EB3B6C72767A\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carrier:lenels2_lnl-x3300_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"6C2395B5-E7CC-4A9E-99AB-617D5541B84E\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:carrier:lenels2_lnl-x3300:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"389BE7A1-1B57-4097-9AAF-A6931C06BA15\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carrier:lenels2_lnl-x4420_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"531D12F9-E636-43C5-8E66-CA057DAFC4BF\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:carrier:lenels2_lnl-x4420:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2BC2BAEA-E139-47C2-9A8F-857AB1C7D54B\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carrier:lenels2_s2-lp-1501_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"3EF4C948-4174-4F5A-881B-0FB985D9331D\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:carrier:lenels2_s2-lp-1501:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3183C665-CD31-446D-8D95-908148675D25\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carrier:lenels2_s2-lp-1502_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"0722187B-9BCB-4D59-9E47-10700F331AEE\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:carrier:lenels2_s2-lp-1502:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"93B38941-79D8-41E7-9763-989C0C3B6139\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carrier:lenels2_s2-lp-2500_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"7322CD14-B238-44B8-A3F6-C2FD91EEADBC\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:carrier:lenels2_s2-lp-2500:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1724D78F-EE79-4E48-BDB2-D399C573F42D\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:carrier:lenels2_s2-lp-4502_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.303\", \"matchCriteriaId\": \"EF3856F1-9777-4389-A8B5-228EE3858C89\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:carrier:lenels2_s2-lp-4502:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"115129D2-5134-4BCD-B5D0-263F4687B59D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An authenticated attacker can send a specially crafted route to the \\u201cedit_route.cgi\\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.\"}, {\"lang\": \"es\", \"value\": \"Un atacante autenticado puede enviar una ruta especialmente dise\\u00f1ada al binario \\\"edit_route.cgi\\\" y hacer que ejecute comandos de shell. Esta vulnerabilidad afecta a los productos basados en los controladores inteligentes HID Mercury LP1501, LP1502, LP2500, LP4502 y EP4502 que contienen versiones de firmware anteriores a 1.303 para la serie LP y 1.297 para la serie EP. Un atacante con este nivel de acceso en el dispositivo puede monitorear todas las comunicaciones enviadas hacia y desde este dispositivo, modificar los rel\\u00e9s incorporados, cambiar los archivos de configuraci\\u00f3n o causar que el dispositivo se vuelva inestable\"}]",
      "id": "CVE-2022-31486",
      "lastModified": "2024-11-21T07:04:33.760",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"productsecurity@carrier.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:C/I:C/A:C\", \"baseScore\": 9.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.0, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-06-06T17:15:11.810",
      "references": "[{\"url\": \"https://www.corporate.carrier.com/product-security/advisories-resources/\", \"source\": \"productsecurity@carrier.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.corporate.carrier.com/product-security/advisories-resources/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "productsecurity@carrier.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"productsecurity@carrier.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31486\",\"sourceIdentifier\":\"productsecurity@carrier.com\",\"published\":\"2022-06-06T17:15:11.810\",\"lastModified\":\"2024-11-21T07:04:33.760\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An authenticated attacker can send a specially crafted route to the \u201cedit_route.cgi\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.\"},{\"lang\":\"es\",\"value\":\"Un atacante autenticado puede enviar una ruta especialmente dise\u00f1ada al binario \\\"edit_route.cgi\\\" y hacer que ejecute comandos de shell. Esta vulnerabilidad afecta a los productos basados en los controladores inteligentes HID Mercury LP1501, LP1502, LP2500, LP4502 y EP4502 que contienen versiones de firmware anteriores a 1.303 para la serie LP y 1.297 para la serie EP. Un atacante con este nivel de acceso en el dispositivo puede monitorear todas las comunicaciones enviadas hacia y desde este dispositivo, modificar los rel\u00e9s incorporados, cambiar los archivos de configuraci\u00f3n o causar que el dispositivo se vuelva inestable\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"productsecurity@carrier.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"baseScore\":9.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"productsecurity@carrier.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hidglobal:lp1501_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"B8EB5D8F-0EAF-4960-9C1F-4E43614AEF1E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hidglobal:lp1501:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9DC3EC5-C67D-4FE5-8B53-04AB785588FE\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hidglobal:lp1502_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"B2753AA2-75FC-40F7-A8EC-D76CB3BAEC9C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hidglobal:lp1502:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"902FDABA-C5D0-4CAE-BBDF-E4338D3A4DAF\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hidglobal:lp2500_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"CB0D54B1-6140-4BD5-A49D-B5983A2CCB84\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hidglobal:lp2500:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AAC2A69E-BF7D-448B-8347-19CFFABED15A\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hidglobal:lp4502_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"7F351A13-995A-43C0-A87D-B534DCD8512E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hidglobal:lp4502:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"22147A65-6ADE-46F3-AFF8-E46CE81D6E8B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hidglobal:ep4502_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.297\",\"matchCriteriaId\":\"6F16DD76-4C6B-4ACE-BFAB-C6FCA6355BB5\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hidglobal:ep4502:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9A28A38-C57D-4FC6-8CAA-0011AF06D290\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carrier:lenels2_lnl-4420_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.297\",\"matchCriteriaId\":\"3862AEE4-5B50-434E-B293-3322F6AAE5FE\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:carrier:lenels2_lnl-4420:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36855319-E36B-47C3-B27E-E1509D1C9D4D\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carrier:lenels2_lnl-x2210_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"2424FA8C-D7D5-40BD-8510-9F1A20C4ADD4\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:carrier:lenels2_lnl-x2210:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B091C8F-2C3A-47C9-92AC-550D977F781A\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carrier:lenels2_lnl-x2220_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"854B319F-2138-4F18-96CA-73B13927A4D8\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:carrier:lenels2_lnl-x2220:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"15FD8460-39D0-46C4-9F04-EB3B6C72767A\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carrier:lenels2_lnl-x3300_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"6C2395B5-E7CC-4A9E-99AB-617D5541B84E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:carrier:lenels2_lnl-x3300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"389BE7A1-1B57-4097-9AAF-A6931C06BA15\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carrier:lenels2_lnl-x4420_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"531D12F9-E636-43C5-8E66-CA057DAFC4BF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:carrier:lenels2_lnl-x4420:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BC2BAEA-E139-47C2-9A8F-857AB1C7D54B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carrier:lenels2_s2-lp-1501_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"3EF4C948-4174-4F5A-881B-0FB985D9331D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:carrier:lenels2_s2-lp-1501:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3183C665-CD31-446D-8D95-908148675D25\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carrier:lenels2_s2-lp-1502_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"0722187B-9BCB-4D59-9E47-10700F331AEE\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:carrier:lenels2_s2-lp-1502:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"93B38941-79D8-41E7-9763-989C0C3B6139\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carrier:lenels2_s2-lp-2500_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"7322CD14-B238-44B8-A3F6-C2FD91EEADBC\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:carrier:lenels2_s2-lp-2500:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1724D78F-EE79-4E48-BDB2-D399C573F42D\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:carrier:lenels2_s2-lp-4502_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.303\",\"matchCriteriaId\":\"EF3856F1-9777-4389-A8B5-228EE3858C89\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:carrier:lenels2_s2-lp-4502:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"115129D2-5134-4BCD-B5D0-263F4687B59D\"}]}]}],\"references\":[{\"url\":\"https://www.corporate.carrier.com/product-security/advisories-resources/\",\"source\":\"productsecurity@carrier.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.corporate.carrier.com/product-security/advisories-resources/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

GHSA-75HQ-CQH2-XF56

Vulnerability from github – Published: 2022-06-07 00:00 – Updated: 2022-06-18 00:00

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-31486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-06T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An authenticated attacker can send a specially crafted route to the \u201cedit_route.cgi\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.",
  "id": "GHSA-75hq-cqh2-xf56",
  "modified": "2022-06-18T00:00:26Z",
  "published": "2022-06-07T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31486"
    },
    {
      "type": "WEB",
      "url": "https://www.corporate.carrier.com/product-security/advisories-resources"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

ICSA-22-153-01

Vulnerability from csaf_cisa - Published: 2022-06-02 00:00 - Updated: 2022-06-02 00:00

Summary

Carrier LenelS2 HID Mercury access panels

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.

Critical infrastructure sectors

Commercial Facilities

Countries/areas deployed

United States

Company headquarters location

United States

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/icsSeveral recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/icsin the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Sam Quinn @eAyeP",
          "Steve Povolny @spovolny"
        ],
        "organization": "Trellix Threat Labs",
        "summary": "reporting these vulnerabilities to Carrier"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Commercial Facilities",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/icsSeveral recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/icsin the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-22-153-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-153-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-22-153-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-153-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Carrier LenelS2 HID Mercury access panels",
    "tracking": {
      "current_release_date": "2022-06-02T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-22-153-01",
      "initial_release_date": "2022-06-02T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2022-06-02T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-22-153-01 Carrier LenelS2 HID Mercury access panels"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "LNL-X2210",
                "product": {
                  "name": "HID Mercury access panels sold by LenelS2 - LNL-X2210",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "HID Mercury access panels sold by LenelS2"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "LNL-X2220",
                "product": {
                  "name": "HID Mercury access panels sold by LenelS2 - LNL-X2220",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "HID Mercury access panels sold by LenelS2"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "LNL-X3300",
                "product": {
                  "name": "HID Mercury access panels sold by LenelS2 - LNL-X3300",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "HID Mercury access panels sold by LenelS2"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "LNL-X4420",
                "product": {
                  "name": "HID Mercury access panels sold by LenelS2 - LNL-X4420",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "HID Mercury access panels sold by LenelS2"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "LNL-4420",
                "product": {
                  "name": "HID Mercury access panels sold by LenelS2 - LNL-4420",
                  "product_id": "CSAFPID-0005"
                }
              }
            ],
            "category": "product_name",
            "name": "HID Mercury access panels sold by LenelS2"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "S2-LP-1501",
                "product": {
                  "name": "HID Mercury access panels sold by LenelS2 - S2-LP-1501",
                  "product_id": "CSAFPID-0006"
                }
              }
            ],
            "category": "product_name",
            "name": "HID Mercury access panels sold by LenelS2"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "S2-LP-4502",
                "product": {
                  "name": "HID Mercury access panels sold by LenelS2 - S2-LP-4502",
                  "product_id": "CSAFPID-0007"
                }
              }
            ],
            "category": "product_name",
            "name": "HID Mercury access panels sold by LenelS2"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "S2-LP-2500",
                "product": {
                  "name": "HID Mercury access panels sold by LenelS2 - S2-LP-2500",
                  "product_id": "CSAFPID-0008"
                }
              }
            ],
            "category": "product_name",
            "name": "HID Mercury access panels sold by LenelS2"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "S2-LP-1502",
                "product": {
                  "name": "HID Mercury access panels sold by LenelS2 - S2-LP-1502",
                  "product_id": "CSAFPID-0009"
                }
              }
            ],
            "category": "product_name",
            "name": "HID Mercury access panels sold by LenelS2"
          }
        ],
        "category": "vendor",
        "name": "Carrier LenelS2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-31479",
      "cwe": {
        "id": "CWE-693",
        "name": "Protection Mechanism Failure"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated attacker can update the hostname with a specially crafted name, allowing shell command execution during the core collection process.CVE-2022-31479 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31479"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/contact-us/"
        },
        {
          "category": "mitigation",
          "details": "The controller can also be configured to disable web access, which prevents remote login into the controller\u0027s webpage. To log in, see the specific instructions in CARR-PSA-006-0622",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        },
        {
          "category": "mitigation",
          "details": "Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2022-31480",
      "cwe": {
        "id": "CWE-425",
        "name": "Direct Request (\u0027Forced Browsing\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated attacker could arbitrarily upload firmware files to the target device, ultimately causing a denial-of-service condition.CVE-2022-31480 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31480"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/contact-us/"
        },
        {
          "category": "mitigation",
          "details": "The controller can also be configured to disable web access, which prevents remote login into the controller\u0027s webpage. To log in, see the specific instructions in CARR-PSA-006-0622",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        },
        {
          "category": "mitigation",
          "details": "Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2022-31481",
      "cwe": {
        "id": "CWE-120",
        "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer.CVE-2022-31481 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31481"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/contact-us/"
        },
        {
          "category": "mitigation",
          "details": "The controller can also be configured to disable web access, which prevents remote login into the controller\u0027s webpage. To log in, see the specific instructions in CARR-PSA-006-0622",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        },
        {
          "category": "mitigation",
          "details": "Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2022-31482",
      "cwe": {
        "id": "CWE-120",
        "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated attacker can send a specially crafted unauthenticated HTTP request to the device that can overflow a buffer.CVE-2022-31482 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31482"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/contact-us/"
        },
        {
          "category": "mitigation",
          "details": "The controller can also be configured to disable web access, which prevents remote login into the controller\u0027s webpage. To log in, see the specific instructions in CARR-PSA-006-0622",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        },
        {
          "category": "mitigation",
          "details": "Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2022-31483",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An authenticated attacker can manipulate a filename to achieve the ability to upload the desired file anywhere on the filesystem.CVE-2022-31483 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31483"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/contact-us/"
        },
        {
          "category": "mitigation",
          "details": "The controller can also be configured to disable web access, which prevents remote login into the controller\u0027s webpage. To log in, see the specific instructions in CARR-PSA-006-0622",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        },
        {
          "category": "mitigation",
          "details": "Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2022-31484",
      "cwe": {
        "id": "CWE-425",
        "name": "Direct Request (\u0027Forced Browsing\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated attacker can send a specially crafted network packet to delete a user from the web interface.CVE-2022-31484 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31484"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/contact-us/"
        },
        {
          "category": "mitigation",
          "details": "The controller can also be configured to disable web access, which prevents remote login into the controller\u0027s webpage. To log in, see the specific instructions in CARR-PSA-006-0622",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        },
        {
          "category": "mitigation",
          "details": "Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2022-31485",
      "cwe": {
        "id": "CWE-425",
        "name": "Direct Request (\u0027Forced Browsing\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An unauthenticated attacker can send a specially crafted packet to update the notes section on the home page of the web interface.CVE-2022-31485 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31485"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/contact-us/"
        },
        {
          "category": "mitigation",
          "details": "The controller can also be configured to disable web access, which prevents remote login into the controller\u0027s webpage. To log in, see the specific instructions in CARR-PSA-006-0622",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        },
        {
          "category": "mitigation",
          "details": "Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2022-31486",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An authenticated attacker can send a specially crafted route to a specific binary causing it to execute shell commands.CVE-2022-31486 has been assigned to this vulnerability. A CVSS v3 base score 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31486"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Carrier recommends updating these access panels to the most current released firmware via the LenelS2 Partner Center. Please contact a Carrier support channel partner for instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/contact-us/"
        },
        {
          "category": "mitigation",
          "details": "The controller can also be configured to disable web access, which prevents remote login into the controller\u0027s webpage. To log in, see the specific instructions in CARR-PSA-006-0622",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        },
        {
          "category": "mitigation",
          "details": "Carrier has published CARR-PSA-006-0622 to notify users about these vulnerabilities, providing additional mitigation instructions.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    }
  ]
}

FKIE_CVE-2022-31486

Vulnerability from fkie_nvd - Published: 2022-06-06 17:15 - Updated: 2024-11-21 07:04

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	productsecurity@carrier.com	https://www.corporate.carrier.com/product-security/advisories-resources/	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://www.corporate.carrier.com/product-security/advisories-resources/	Vendor Advisory

Impacted products

Vendor	Product	Version
hidglobal	lp1501_firmware	*
hidglobal	lp1501	-
hidglobal	lp1502_firmware	*
hidglobal	lp1502	-
hidglobal	lp2500_firmware	*
hidglobal	lp2500	-
hidglobal	lp4502_firmware	*
hidglobal	lp4502	-
hidglobal	ep4502_firmware	*
hidglobal	ep4502	-
carrier	lenels2_lnl-4420_firmware	*
carrier	lenels2_lnl-4420	-
carrier	lenels2_lnl-x2210_firmware	*
carrier	lenels2_lnl-x2210	-
carrier	lenels2_lnl-x2220_firmware	*
carrier	lenels2_lnl-x2220	-
carrier	lenels2_lnl-x3300_firmware	*
carrier	lenels2_lnl-x3300	-
carrier	lenels2_lnl-x4420_firmware	*
carrier	lenels2_lnl-x4420	-
carrier	lenels2_s2-lp-1501_firmware	*
carrier	lenels2_s2-lp-1501	-
carrier	lenels2_s2-lp-1502_firmware	*
carrier	lenels2_s2-lp-1502	-
carrier	lenels2_s2-lp-2500_firmware	*
carrier	lenels2_s2-lp-2500	-
carrier	lenels2_s2-lp-4502_firmware	*
carrier	lenels2_s2-lp-4502	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:hidglobal:lp1501_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8EB5D8F-0EAF-4960-9C1F-4E43614AEF1E",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:hidglobal:lp1501:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B9DC3EC5-C67D-4FE5-8B53-04AB785588FE",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:hidglobal:lp1502_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B2753AA2-75FC-40F7-A8EC-D76CB3BAEC9C",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:hidglobal:lp1502:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "902FDABA-C5D0-4CAE-BBDF-E4338D3A4DAF",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:hidglobal:lp2500_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB0D54B1-6140-4BD5-A49D-B5983A2CCB84",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:hidglobal:lp2500:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "AAC2A69E-BF7D-448B-8347-19CFFABED15A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:hidglobal:lp4502_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F351A13-995A-43C0-A87D-B534DCD8512E",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:hidglobal:lp4502:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "22147A65-6ADE-46F3-AFF8-E46CE81D6E8B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:hidglobal:ep4502_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F16DD76-4C6B-4ACE-BFAB-C6FCA6355BB5",
              "versionEndExcluding": "1.297",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:hidglobal:ep4502:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9A28A38-C57D-4FC6-8CAA-0011AF06D290",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:carrier:lenels2_lnl-4420_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3862AEE4-5B50-434E-B293-3322F6AAE5FE",
              "versionEndExcluding": "1.297",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:carrier:lenels2_lnl-4420:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "36855319-E36B-47C3-B27E-E1509D1C9D4D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:carrier:lenels2_lnl-x2210_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2424FA8C-D7D5-40BD-8510-9F1A20C4ADD4",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:carrier:lenels2_lnl-x2210:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B091C8F-2C3A-47C9-92AC-550D977F781A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:carrier:lenels2_lnl-x2220_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "854B319F-2138-4F18-96CA-73B13927A4D8",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:carrier:lenels2_lnl-x2220:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "15FD8460-39D0-46C4-9F04-EB3B6C72767A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:carrier:lenels2_lnl-x3300_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6C2395B5-E7CC-4A9E-99AB-617D5541B84E",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:carrier:lenels2_lnl-x3300:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "389BE7A1-1B57-4097-9AAF-A6931C06BA15",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:carrier:lenels2_lnl-x4420_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "531D12F9-E636-43C5-8E66-CA057DAFC4BF",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:carrier:lenels2_lnl-x4420:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2BC2BAEA-E139-47C2-9A8F-857AB1C7D54B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:carrier:lenels2_s2-lp-1501_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3EF4C948-4174-4F5A-881B-0FB985D9331D",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:carrier:lenels2_s2-lp-1501:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3183C665-CD31-446D-8D95-908148675D25",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:carrier:lenels2_s2-lp-1502_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0722187B-9BCB-4D59-9E47-10700F331AEE",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:carrier:lenels2_s2-lp-1502:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "93B38941-79D8-41E7-9763-989C0C3B6139",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:carrier:lenels2_s2-lp-2500_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7322CD14-B238-44B8-A3F6-C2FD91EEADBC",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:carrier:lenels2_s2-lp-2500:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1724D78F-EE79-4E48-BDB2-D399C573F42D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:carrier:lenels2_s2-lp-4502_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF3856F1-9777-4389-A8B5-228EE3858C89",
              "versionEndExcluding": "1.303",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:carrier:lenels2_s2-lp-4502:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "115129D2-5134-4BCD-B5D0-263F4687B59D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An authenticated attacker can send a specially crafted route to the \u201cedit_route.cgi\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable."
    },
    {
      "lang": "es",
      "value": "Un atacante autenticado puede enviar una ruta especialmente dise\u00f1ada al binario \"edit_route.cgi\" y hacer que ejecute comandos de shell. Esta vulnerabilidad afecta a los productos basados en los controladores inteligentes HID Mercury LP1501, LP1502, LP2500, LP4502 y EP4502 que contienen versiones de firmware anteriores a 1.303 para la serie LP y 1.297 para la serie EP. Un atacante con este nivel de acceso en el dispositivo puede monitorear todas las comunicaciones enviadas hacia y desde este dispositivo, modificar los rel\u00e9s incorporados, cambiar los archivos de configuraci\u00f3n o causar que el dispositivo se vuelva inestable"
    }
  ],
  "id": "CVE-2022-31486",
  "lastModified": "2024-11-21T07:04:33.760",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "productsecurity@carrier.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-06-06T17:15:11.810",
  "references": [
    {
      "source": "productsecurity@carrier.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
    }
  ],
  "sourceIdentifier": "productsecurity@carrier.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "productsecurity@carrier.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2022-31486

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-31486

Aliases

CVE-2022-31486

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-31486",
    "description": "An authenticated attacker can send a specially crafted route to the \u201cedit_route.cgi\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.",
    "id": "GSD-2022-31486"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-31486"
      ],
      "details": "An authenticated attacker can send a specially crafted route to the \u201cedit_route.cgi\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.",
      "id": "GSD-2022-31486",
      "modified": "2023-12-13T01:19:17.851863Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "productsecurity@carrier.com",
        "DATE_PUBLIC": "2022-06-02T22:00:00.000Z",
        "ID": "CVE-2022-31486",
        "STATE": "PUBLIC",
        "TITLE": "Command injection via Advanced Networking route add functionality"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "LNL-X2210",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "LNL-X2220",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "LNL-X3300",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "LNL-X4420",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "LNL-4420",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.297"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "S2-LP-1501",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "S2-LP-1502",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "S2-LP-2500",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "S2-LP-4502",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "LenelS2"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "LP1501",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "LP1502",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "LP2500",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "LP4502",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.303"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "EP4502",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "ALL",
                          "version_value": "1.297"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "HID Mercury"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Sam Quinn @eAyeP and Steve Povolny @spovolny from Trellix Threat Labs"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An authenticated attacker can send a specially crafted route to the \u201cedit_route.cgi\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-78 OS Command Injection"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.corporate.carrier.com/product-security/advisories-resources/",
            "refsource": "MISC",
            "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "Update to the latest version of firmware"
        }
      ],
      "source": {
        "advisory": "CARR-PSA-006-0522",
        "discovery": "EXTERNAL"
      },
      "work_around": [
        {
          "lang": "eng",
          "value": "Disable the controller\u0027s Web Server.  \nWhen the controller is configured to disable web access, you cannot remotely login into the controller\u2019s web page.\n1. Login to controller web pages\n2. Go to \u201cUsers\u201d Tab\n3. Near bottom of the Users page, check option to \u201cDisable Web Server\u201d\n4. Then select \u201cSubmit\u201d at the bottom of the page\n5. Then select \u201cApply Settings\u201d tab\n6. And on that page, select button \u201cApply Settings, Reboot\u201d\nThe Controller will apply the new setting and reboot. Web login will be disabled until switch 1 is physically turned ON, on the controller."
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:hidglobal:lp1501_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:hidglobal:lp1501:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:hidglobal:lp1502_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:hidglobal:lp1502:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:hidglobal:lp2500_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:hidglobal:lp2500:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:hidglobal:lp4502_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:hidglobal:lp4502:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:hidglobal:ep4502_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.297",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:hidglobal:ep4502:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:carrier:lenels2_lnl-4420_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.297",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:carrier:lenels2_lnl-4420:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:carrier:lenels2_lnl-x2210_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:carrier:lenels2_lnl-x2210:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:carrier:lenels2_lnl-x2220_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:carrier:lenels2_lnl-x2220:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:carrier:lenels2_lnl-x3300_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:carrier:lenels2_lnl-x3300:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:carrier:lenels2_lnl-x4420_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:carrier:lenels2_lnl-x4420:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:carrier:lenels2_s2-lp-1501_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:carrier:lenels2_s2-lp-1501:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:carrier:lenels2_s2-lp-1502_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:carrier:lenels2_s2-lp-1502:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:carrier:lenels2_s2-lp-2500_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:carrier:lenels2_s2-lp-2500:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:carrier:lenels2_s2-lp-4502_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.303",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:carrier:lenels2_s2-lp-4502:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "productsecurity@carrier.com",
          "ID": "CVE-2022-31486"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An authenticated attacker can send a specially crafted route to the \u201cedit_route.cgi\u201d binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.corporate.carrier.com/product-security/advisories-resources/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.corporate.carrier.com/product-security/advisories-resources/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-06-17T14:56Z",
      "publishedDate": "2022-06-06T17:15Z"
    }
  }
}

CNVD-2022-77059

Vulnerability from cnvd - Published: 2022-11-15

Title

Carrier LenelS2 HID Mercury access panels操作系统命令注入漏洞

Description

Carrier LenelS2 HID Mercury access panels是美国Carrier公司的一个控制器面板。 Carrier LenelS2 HID Mercury access panels存在操作系统命令注入漏洞，攻击者可利用该漏洞将特制数据传递给应用程序并在目标系统上执行任意操作系统命令。

Severity

高

Patch Name

Carrier LenelS2 HID Mercury access panels操作系统命令注入漏洞的补丁

Patch Description

Carrier LenelS2 HID Mercury access panels是美国Carrier公司的一个控制器面板。 Carrier LenelS2 HID Mercury access panels存在操作系统命令注入漏洞，攻击者可利用该漏洞将特制数据传递给应用程序并在目标系统上执行任意操作系统命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.corporate.carrier.com/Images/CARR-PSA-HID-Mercury-Vulnerabilities-006-0622_tcm558-170514.pdf

Reference

https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-01

Impacted products

Name
['Carrier LenelS2 LNL-X3300', 'Carrier LenelS2 LNL-X4420', 'Carrier LenelS2 LNL-4420', 'Carrier LenelS2 S2-LP-1501', 'Carrier LenelS2 S2-LP-4502', 'Carrier LenelS2 S2-LP-2500', 'Carrier LenelS2 S2-LP-1502', 'Carrier LenelS2 LNL-X2210', 'Carrier LenelS2 LNL-X2220']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-31486"
    }
  },
  "description": "Carrier LenelS2 HID Mercury access panels\u662f\u7f8e\u56fdCarrier\u516c\u53f8\u7684\u4e00\u4e2a\u63a7\u5236\u5668\u9762\u677f\u3002\n\nCarrier LenelS2 HID Mercury access panels\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u7279\u5236\u6570\u636e\u4f20\u9012\u7ed9\u5e94\u7528\u7a0b\u5e8f\u5e76\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.corporate.carrier.com/Images/CARR-PSA-HID-Mercury-Vulnerabilities-006-0622_tcm558-170514.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-77059",
  "openTime": "2022-11-15",
  "patchDescription": "Carrier LenelS2 HID Mercury access panels\u662f\u7f8e\u56fdCarrier\u516c\u53f8\u7684\u4e00\u4e2a\u63a7\u5236\u5668\u9762\u677f\u3002\r\n\r\nCarrier LenelS2 HID Mercury access panels\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u7279\u5236\u6570\u636e\u4f20\u9012\u7ed9\u5e94\u7528\u7a0b\u5e8f\u5e76\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Carrier LenelS2 HID Mercury access panels\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Carrier LenelS2 LNL-X3300",
      "Carrier LenelS2 LNL-X4420",
      "Carrier LenelS2 LNL-4420",
      "Carrier LenelS2 S2-LP-1501",
      "Carrier LenelS2 S2-LP-4502",
      "Carrier LenelS2 S2-LP-2500",
      "Carrier LenelS2 S2-LP-1502",
      "Carrier LenelS2 LNL-X2210",
      "Carrier LenelS2 LNL-X2220"
    ]
  },
  "referenceLink": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-01",
  "serverity": "\u9ad8",
  "submitTime": "2022-06-05",
  "title": "Carrier LenelS2 HID Mercury access panels\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-31486 (GCVE-0-2022-31486)

GHSA-75HQ-CQH2-XF56

ICSA-22-153-01

FKIE_CVE-2022-31486

GSD-2022-31486

CNVD-2022-77059

Tags

Sightings

Nomenclature