CVE-2022-38355 (GCVE-0-2022-38355)

Vulnerability from cvelistv5 – Published: 2022-12-13 21:12 – Updated: 2025-04-16 16:04
VLAI?
Summary
Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to attackers with access to the local area network (LAN) to disclose sensitive information stored by the affected product without requiring authentication.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
Daikin SVMPC1 Affected: 0 , ≤ 2.1.22 (custom)
Create a notification for this product.
    Daikin SVMPC2 Affected: 0 , ≤ 1.2.3 (custom)
Create a notification for this product.
Credits
Chizuru Toyama from TXOne Networks reported these vulnerabilities to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:54:03.383Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-38355",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T15:53:21.791214Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T16:04:52.712Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SVMPC1 ",
          "vendor": "Daikin",
          "versions": [
            {
              "lessThanOrEqual": "2.1.22",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "SVMPC2",
          "vendor": "Daikin",
          "versions": [
            {
              "lessThanOrEqual": "1.2.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Chizuru Toyama from TXOne Networks reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eattackers with access to the local area network (LAN) to disclose sensitive information stored by the affected product without requiring authentication.\u003c/span\u003e\n\n"
            }
          ],
          "value": "Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to \n\nattackers with access to the local area network (LAN) to disclose sensitive information stored by the affected product without requiring authentication.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-13T21:12:06.551Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\nDaikin Holdings Singapore Pte Ltd. has released an update that will \nautomatically install if the SVM controller is enabled. No user \noperation is required. \n\n\u003cbr\u003e"
            }
          ],
          "value": "Daikin Holdings Singapore Pte Ltd. has released an update that will \nautomatically install if the SVM controller is enabled. No user \noperation is required. \n\n\n"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2022-38355",
    "datePublished": "2022-12-13T21:12:06.551Z",
    "dateReserved": "2022-09-29T14:08:03.143Z",
    "dateUpdated": "2025-04-16T16:04:52.712Z",
    "requesterUserId": "bc31a57b-b1a5-40e2-9263-67c0ae8a3b8a",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:daikinlatam:svmpc1:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.1.22\", \"matchCriteriaId\": \"C5C6014E-6AE2-4F00-A6E9-0A7AE1363B1D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:daikinlatam:svmpc2:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.2.3\", \"matchCriteriaId\": \"B86F9209-C569-49B7-AEBF-ECF9C46DF4FC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to \\n\\nattackers with access to the local area network (LAN) to disclose sensitive information stored by the affected product without requiring authentication.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Daikin SVMPC1 versi\\u00f3n 2.1.22 y anteriores y SVMPC2 versi\\u00f3n 1.2.3 y anteriores son vulnerables a atacantes con acceso a la red de \\u00e1rea local (LAN) para revelar informaci\\u00f3n confidencial almacenada por el producto afectado sin requerir autenticaci\\u00f3n.\"}]",
      "id": "CVE-2022-38355",
      "lastModified": "2024-11-21T07:16:19.087",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2022-12-13T22:15:10.090",
      "references": "[{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-38355\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2022-12-13T22:15:10.090\",\"lastModified\":\"2024-11-21T07:16:19.087\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to \\n\\nattackers with access to the local area network (LAN) to disclose sensitive information stored by the affected product without requiring authentication.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Daikin SVMPC1 versi\u00f3n 2.1.22 y anteriores y SVMPC2 versi\u00f3n 1.2.3 y anteriores son vulnerables a atacantes con acceso a la red de \u00e1rea local (LAN) para revelar informaci\u00f3n confidencial almacenada por el producto afectado sin requerir autenticaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:daikinlatam:svmpc1:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.1.22\",\"matchCriteriaId\":\"C5C6014E-6AE2-4F00-A6E9-0A7AE1363B1D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:daikinlatam:svmpc2:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.2.3\",\"matchCriteriaId\":\"B86F9209-C569-49B7-AEBF-ECF9C46DF4FC\"}]}]}],\"references\":[{\"url\":\"https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"product\": \"SVMPC1 \", \"vendor\": \"Daikin\", \"versions\": [{\"lessThanOrEqual\": \"2.1.22\", \"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"SVMPC2\", \"vendor\": \"Daikin\", \"versions\": [{\"lessThanOrEqual\": \"1.2.3\", \"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\"}]}], \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Chizuru Toyama from TXOne Networks reported these vulnerabilities to CISA.\"}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to \\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eattackers with access to the local area network (LAN) to disclose sensitive information stored by the affected product without requiring authentication.\u003c/span\u003e\\n\\n\"}], \"value\": \"Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to \\n\\nattackers with access to the local area network (LAN) to disclose sensitive information stored by the affected product without requiring authentication.\\n\\n\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-284\", \"description\": \"CWE-284 Improper Access Control\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2022-12-13T21:12:06.551Z\"}, \"references\": [{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02\"}], \"solutions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\\nDaikin Holdings Singapore Pte Ltd. has released an update that will \\nautomatically install if the SVM controller is enabled. No user \\noperation is required. \\n\\n\u003cbr\u003e\"}], \"value\": \"Daikin Holdings Singapore Pte Ltd. has released an update that will \\nautomatically install if the SVM controller is enabled. No user \\noperation is required. \\n\\n\\n\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T10:54:03.383Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-38355\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-16T15:53:21.791214Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-16T15:53:23.503Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-38355\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"icscert\", \"requesterUserId\": \"bc31a57b-b1a5-40e2-9263-67c0ae8a3b8a\", \"dateReserved\": \"2022-09-29T14:08:03.143Z\", \"datePublished\": \"2022-12-13T21:12:06.551Z\", \"dateUpdated\": \"2025-04-16T16:04:52.712Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.