cvelistv5 - cve-2022-0223

CVE-2022-0223 (GCVE-0-2022-0223)

Vulnerability from cvelistv5 – Published: 2023-01-30 00:00 – Updated: 2025-02-05 20:09

Summary

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

schneider

References

URL

Tags

https://download.schneider-electric.com/files?p_e…

Impacted products

	Vendor	Product	Version
	Schneider Electric	EcoStruxure Power Commission	Affected: All , < V2.22 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:42.838Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-0223",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-05T19:50:51.006673Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-05T20:09:13.271Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EcoStruxure Power Commission",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "lessThan": "V2.22",
              "status": "affected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2022-06-14T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-30T00:00:00.000Z",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2022-0223",
    "datePublished": "2023-01-30T00:00:00.000Z",
    "dateReserved": "2022-01-13T00:00:00.000Z",
    "dateUpdated": "2025-02-05T20:09:13.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:schneider-electric:ecostruxure_power_commission:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.22\", \"matchCriteriaId\": \"E59BB009-9A61-46F7-BC46-44B4EC678EE4\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad CWE-22: limitaci\\u00f3n inadecuada de un nombre de ruta a un directorio restringido (\\\"Path Traversal\\\") que podr\\u00eda permitir a un atacante crear o sobrescribir archivos cr\\u00edticos que se utilizan para ejecutar c\\u00f3digo, como programas o librer\\u00edas, y provocar la ejecuci\\u00f3n de c\\u00f3digo no autenticado. Productos afectados: EcoStruxure Power Commission (versiones anteriores a la V2.22)\"}]",
      "id": "CVE-2022-0223",
      "lastModified": "2024-11-21T06:38:10.670",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cybersecurity@se.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2023-01-30T23:15:09.427",
      "references": "[{\"url\": \"https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf\", \"source\": \"cybersecurity@se.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "cybersecurity@se.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cybersecurity@se.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-0223\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2023-01-30T23:15:09.427\",\"lastModified\":\"2024-11-21T06:38:10.670\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad CWE-22: limitaci\u00f3n inadecuada de un nombre de ruta a un directorio restringido (\\\"Path Traversal\\\") que podr\u00eda permitir a un atacante crear o sobrescribir archivos cr\u00edticos que se utilizan para ejecutar c\u00f3digo, como programas o librer\u00edas, y provocar la ejecuci\u00f3n de c\u00f3digo no autenticado. Productos afectados: EcoStruxure Power Commission (versiones anteriores a la V2.22)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:ecostruxure_power_commission:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.22\",\"matchCriteriaId\":\"E59BB009-9A61-46F7-BC46-44B4EC678EE4\"}]}]}],\"references\":[{\"url\":\"https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T23:18:42.838Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-0223\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-05T19:50:51.006673Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-05T19:50:52.472Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Schneider Electric\", \"product\": \"EcoStruxure Power Commission\", \"versions\": [{\"status\": \"affected\", \"version\": \"All\", \"lessThan\": \"V2.22\", \"versionType\": \"custom\"}]}], \"datePublic\": \"2022-06-14T00:00:00.000Z\", \"references\": [{\"url\": \"https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"076d1eb6-cfab-4401-b34d-6dfc2a413bdb\", \"shortName\": \"schneider\", \"dateUpdated\": \"2023-01-30T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-0223\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-05T20:09:13.271Z\", \"dateReserved\": \"2022-01-13T00:00:00.000Z\", \"assignerOrgId\": \"076d1eb6-cfab-4401-b34d-6dfc2a413bdb\", \"datePublished\": \"2023-01-30T00:00:00.000Z\", \"assignerShortName\": \"schneider\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2022-0223

Vulnerability from fkie_nvd - Published: 2023-01-30 23:15 - Updated: 2024-11-21 06:38

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	cybersecurity@se.com	https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	schneider-electric	ecostruxure_power_commission	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_commission:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E59BB009-9A61-46F7-BC46-44B4EC678EE4",
              "versionEndExcluding": "2.22",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)"
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad CWE-22: limitaci\u00f3n inadecuada de un nombre de ruta a un directorio restringido (\"Path Traversal\") que podr\u00eda permitir a un atacante crear o sobrescribir archivos cr\u00edticos que se utilizan para ejecutar c\u00f3digo, como programas o librer\u00edas, y provocar la ejecuci\u00f3n de c\u00f3digo no autenticado. Productos afectados: EcoStruxure Power Commission (versiones anteriores a la V2.22)"
    }
  ],
  "id": "CVE-2022-0223",
  "lastModified": "2024-11-21T06:38:10.670",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "cybersecurity@se.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-01-30T23:15:09.427",
  "references": [
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
    }
  ],
  "sourceIdentifier": "cybersecurity@se.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "cybersecurity@se.com",
      "type": "Primary"
    }
  ]
}

GHSA-4636-45W3-PR9Q

Vulnerability from github – Published: 2023-01-31 00:30 – Updated: 2023-02-07 03:30

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-0223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-30T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)",
  "id": "GHSA-4636-45w3-pr9q",
  "modified": "2023-02-07T03:30:23Z",
  "published": "2023-01-31T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0223"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2022-0223

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-0223

Aliases

CVE-2022-0223

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-0223",
    "description": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)",
    "id": "GSD-2022-0223"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-0223"
      ],
      "details": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)",
      "id": "GSD-2022-0223",
      "modified": "2023-12-13T01:19:11.558465Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cybersecurity@schneider-electric.com",
        "DATE_PUBLIC": "2022-06-14T07:00:00.000Z",
        "ID": "CVE-2022-0223",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "EcoStruxure Power Commission",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "All",
                          "version_value": "V2.22"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Schneider Electric"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf",
            "refsource": "MISC",
            "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:schneider-electric:ecostruxure_power_commission:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.22",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2022-0223"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-02-07T02:36Z",
      "publishedDate": "2023-01-30T23:15Z"
    }
  }
}

CERTFR-2022-AVI-546

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Schneider Electric	N/A	Schneider Electric C-Bus Network Automation Controller LSS5500SHAC versions antérieures à 1.11.0
Schneider Electric	N/A	Clipsal C-Bus Network Automation Controller 5500SHAC versions antérieures à 1.11.0
Schneider Electric	N/A	Conext ComBox toutes versions
Schneider Electric	N/A	SpaceLogic C-Bus Network Automation Controller 5500NAC2 versions antérieures à 1.11.0
Schneider Electric	N/A	CanBRASS versions antérieures à 7.6
Schneider Electric	N/A	StruxureWare Data Center Expert versions antérieures à 7.9.1
N/A	N/A	EcoStruxure Power Commission versions antérieures à 2.22
Schneider Electric	N/A	Smart-UPS SMT SMC, SMX, SRC, XU, XP, SURTD, CHS2 et SRTL Series toutes versions
Schneider Electric	N/A	EcoStruxure Cybersecurity Admin Expert (CAE) versions antérieures à 2.4
Schneider Electric	N/A	IGSS Data Server versions antérieures à 15.0.0.22170
Schneider Electric	N/A	Geo SCADA Mobile versions antérieures au Build 202205171
Schneider Electric	N/A	Smart-UPS SRT Series versions antérieures à 15.0
Schneider Electric	N/A	Schneider Electric C-Bus Network Automation Controller LSS5500NAC versions antérieures à 1.11.0
Schneider Electric	N/A	EcoStruxure Power Build: Rapsody Software versions antérieures à 2.1.13
Schneider Electric	N/A	EPC2000 versions antérieures à 4.03
Schneider Electric	N/A	Versadac versions antérieures à 2.43
Schneider Electric	N/A	Clipsal C-Bus Network Automation Controller 5500NAC versions antérieures à 1.11.0
Schneider Electric	N/A	SCADAPack RemoteConnect pour x70 versions antérieures à R2.7.3
Schneider Electric	N/A	SpaceLogic C-Bus Network Automation Controller 5500AC2 versions antérieures à 1.11.0
Schneider Electric	N/A	Smart-UPS SCL Series versions antérieures à 15.1

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2022-067-02 du 08 mars 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-07 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-06 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-067-01 du 08 mars 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-02 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-08 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2021-012-02 du 12 janvier 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-04 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-01 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-05 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2021-313-05 du 09 novembre 2021	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-03 du 14 juin 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Schneider Electric C-Bus Network Automation Controller LSS5500SHAC versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Clipsal C-Bus Network Automation Controller 5500SHAC versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Conext ComBox toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "SpaceLogic C-Bus Network Automation Controller 5500NAC2 versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "CanBRASS versions ant\u00e9rieures \u00e0 7.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "StruxureWare Data Center Expert versions ant\u00e9rieures \u00e0 7.9.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "EcoStruxure Power Commission versions ant\u00e9rieures \u00e0 2.22",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "Smart-UPS SMT SMC, SMX, SRC, XU, XP, SURTD, CHS2 et SRTL Series toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "EcoStruxure Cybersecurity Admin Expert (CAE) versions ant\u00e9rieures \u00e0 2.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "IGSS Data Server versions ant\u00e9rieures \u00e0 15.0.0.22170",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Geo SCADA Mobile versions ant\u00e9rieures au Build 202205171",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Smart-UPS SRT Series versions ant\u00e9rieures \u00e0 15.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Schneider Electric C-Bus Network Automation Controller LSS5500NAC versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "EcoStruxure Power Build: Rapsody Software versions ant\u00e9rieures \u00e0 2.1.13",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "EPC2000 versions ant\u00e9rieures \u00e0 4.03",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Versadac versions ant\u00e9rieures \u00e0 2.43",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Clipsal C-Bus Network Automation Controller 5500NAC versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "SCADAPack RemoteConnect pour x70 versions ant\u00e9rieures \u00e0 R2.7.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "SpaceLogic C-Bus Network Automation Controller 5500AC2 versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Smart-UPS SCL Series versions ant\u00e9rieures \u00e0 15.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-32524",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32524"
    },
    {
      "name": "CVE-2022-24322",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24322"
    },
    {
      "name": "CVE-2022-22731",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22731"
    },
    {
      "name": "CVE-2022-32514",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32514"
    },
    {
      "name": "CVE-2020-35198",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-35198"
    },
    {
      "name": "CVE-2022-32517",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32517"
    },
    {
      "name": "CVE-2022-32526",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32526"
    },
    {
      "name": "CVE-2022-32530",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32530"
    },
    {
      "name": "CVE-2022-32748",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32748"
    },
    {
      "name": "CVE-2022-22806",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22806"
    },
    {
      "name": "CVE-2022-32529",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32529"
    },
    {
      "name": "CVE-2022-32513",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32513"
    },
    {
      "name": "CVE-2022-32747",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32747"
    },
    {
      "name": "CVE-2022-32523",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32523"
    },
    {
      "name": "CVE-2022-32528",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32528"
    },
    {
      "name": "CVE-2022-32516",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32516"
    },
    {
      "name": "CVE-2022-32522",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32522"
    },
    {
      "name": "CVE-2022-32527",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32527"
    },
    {
      "name": "CVE-2022-32515",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32515"
    },
    {
      "name": "CVE-2021-22697",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22697"
    },
    {
      "name": "CVE-2022-0715",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0715"
    },
    {
      "name": "CVE-2022-0223",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0223"
    },
    {
      "name": "CVE-2022-32519",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32519"
    },
    {
      "name": "CVE-2022-22805",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22805"
    },
    {
      "name": "CVE-2022-24323",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24323"
    },
    {
      "name": "CVE-2022-32512",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32512"
    },
    {
      "name": "CVE-2022-32518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32518"
    },
    {
      "name": "CVE-2022-22732",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22732"
    },
    {
      "name": "CVE-2020-28895",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28895"
    },
    {
      "name": "CVE-2022-32520",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32520"
    },
    {
      "name": "CVE-2022-32525",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32525"
    },
    {
      "name": "CVE-2021-22698",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22698"
    },
    {
      "name": "CVE-2022-32521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32521"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-546",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-06-15T00:00:00.000000"
    },
    {
      "description": "Modification de la version des produits IGSS Data Server",
      "revision_date": "2022-06-23T00:00:00.000000"
    },
    {
      "description": "Mise \u00e0 jour du lien du bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-067-02 du 08 mars 2022.",
      "revision_date": "2022-08-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-067-02 du 08 mars 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-067-02_APC-Smart-UPS_Security_Notification_V6.0.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-07 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-07_CanBRASS_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-06 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-06_C-Bus_Home_Automation_Products_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-067-01 du 08 mars 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-067-01_EcoStruxure_Control_Expert_and_EcoStruxure_Process_Expert_Security_Notification_V2.0.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-02 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-02_Geo_SCADA_Android_App_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-08 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-08_Cybersecurity_Admin_Expert_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-012-02 du 12 janvier 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-012-02_EcoStruxure_Power_Build_Rapsody_Security_Notification_V2.0.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-04 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-04_%20StruxureWare_Data_Center_Expert_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-01 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-05 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-313-05 du 09 novembre 2021",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-313-05_Badalloc_Vulnerabilities_Security_Notification_V8.0.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-03 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-03_ConextCombox_Security_Notification.pdf"
    }
  ]
}

CERTFR-2022-AVI-546

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Schneider Electric	N/A	Schneider Electric C-Bus Network Automation Controller LSS5500SHAC versions antérieures à 1.11.0
Schneider Electric	N/A	Clipsal C-Bus Network Automation Controller 5500SHAC versions antérieures à 1.11.0
Schneider Electric	N/A	Conext ComBox toutes versions
Schneider Electric	N/A	SpaceLogic C-Bus Network Automation Controller 5500NAC2 versions antérieures à 1.11.0
Schneider Electric	N/A	CanBRASS versions antérieures à 7.6
Schneider Electric	N/A	StruxureWare Data Center Expert versions antérieures à 7.9.1
N/A	N/A	EcoStruxure Power Commission versions antérieures à 2.22
Schneider Electric	N/A	Smart-UPS SMT SMC, SMX, SRC, XU, XP, SURTD, CHS2 et SRTL Series toutes versions
Schneider Electric	N/A	EcoStruxure Cybersecurity Admin Expert (CAE) versions antérieures à 2.4
Schneider Electric	N/A	IGSS Data Server versions antérieures à 15.0.0.22170
Schneider Electric	N/A	Geo SCADA Mobile versions antérieures au Build 202205171
Schneider Electric	N/A	Smart-UPS SRT Series versions antérieures à 15.0
Schneider Electric	N/A	Schneider Electric C-Bus Network Automation Controller LSS5500NAC versions antérieures à 1.11.0
Schneider Electric	N/A	EcoStruxure Power Build: Rapsody Software versions antérieures à 2.1.13
Schneider Electric	N/A	EPC2000 versions antérieures à 4.03
Schneider Electric	N/A	Versadac versions antérieures à 2.43
Schneider Electric	N/A	Clipsal C-Bus Network Automation Controller 5500NAC versions antérieures à 1.11.0
Schneider Electric	N/A	SCADAPack RemoteConnect pour x70 versions antérieures à R2.7.3
Schneider Electric	N/A	SpaceLogic C-Bus Network Automation Controller 5500AC2 versions antérieures à 1.11.0
Schneider Electric	N/A	Smart-UPS SCL Series versions antérieures à 15.1

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2022-067-02 du 08 mars 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-07 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-06 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-067-01 du 08 mars 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-02 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-08 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2021-012-02 du 12 janvier 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-04 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-01 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-05 du 14 juin 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2021-313-05 du 09 novembre 2021	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2022-165-03 du 14 juin 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Schneider Electric C-Bus Network Automation Controller LSS5500SHAC versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Clipsal C-Bus Network Automation Controller 5500SHAC versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Conext ComBox toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "SpaceLogic C-Bus Network Automation Controller 5500NAC2 versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "CanBRASS versions ant\u00e9rieures \u00e0 7.6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "StruxureWare Data Center Expert versions ant\u00e9rieures \u00e0 7.9.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "EcoStruxure Power Commission versions ant\u00e9rieures \u00e0 2.22",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "Smart-UPS SMT SMC, SMX, SRC, XU, XP, SURTD, CHS2 et SRTL Series toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "EcoStruxure Cybersecurity Admin Expert (CAE) versions ant\u00e9rieures \u00e0 2.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "IGSS Data Server versions ant\u00e9rieures \u00e0 15.0.0.22170",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Geo SCADA Mobile versions ant\u00e9rieures au Build 202205171",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Smart-UPS SRT Series versions ant\u00e9rieures \u00e0 15.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Schneider Electric C-Bus Network Automation Controller LSS5500NAC versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "EcoStruxure Power Build: Rapsody Software versions ant\u00e9rieures \u00e0 2.1.13",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "EPC2000 versions ant\u00e9rieures \u00e0 4.03",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Versadac versions ant\u00e9rieures \u00e0 2.43",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Clipsal C-Bus Network Automation Controller 5500NAC versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "SCADAPack RemoteConnect pour x70 versions ant\u00e9rieures \u00e0 R2.7.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "SpaceLogic C-Bus Network Automation Controller 5500AC2 versions ant\u00e9rieures \u00e0 1.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Smart-UPS SCL Series versions ant\u00e9rieures \u00e0 15.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-32524",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32524"
    },
    {
      "name": "CVE-2022-24322",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24322"
    },
    {
      "name": "CVE-2022-22731",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22731"
    },
    {
      "name": "CVE-2022-32514",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32514"
    },
    {
      "name": "CVE-2020-35198",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-35198"
    },
    {
      "name": "CVE-2022-32517",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32517"
    },
    {
      "name": "CVE-2022-32526",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32526"
    },
    {
      "name": "CVE-2022-32530",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32530"
    },
    {
      "name": "CVE-2022-32748",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32748"
    },
    {
      "name": "CVE-2022-22806",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22806"
    },
    {
      "name": "CVE-2022-32529",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32529"
    },
    {
      "name": "CVE-2022-32513",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32513"
    },
    {
      "name": "CVE-2022-32747",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32747"
    },
    {
      "name": "CVE-2022-32523",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32523"
    },
    {
      "name": "CVE-2022-32528",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32528"
    },
    {
      "name": "CVE-2022-32516",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32516"
    },
    {
      "name": "CVE-2022-32522",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32522"
    },
    {
      "name": "CVE-2022-32527",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32527"
    },
    {
      "name": "CVE-2022-32515",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32515"
    },
    {
      "name": "CVE-2021-22697",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22697"
    },
    {
      "name": "CVE-2022-0715",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0715"
    },
    {
      "name": "CVE-2022-0223",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0223"
    },
    {
      "name": "CVE-2022-32519",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32519"
    },
    {
      "name": "CVE-2022-22805",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22805"
    },
    {
      "name": "CVE-2022-24323",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24323"
    },
    {
      "name": "CVE-2022-32512",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32512"
    },
    {
      "name": "CVE-2022-32518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32518"
    },
    {
      "name": "CVE-2022-22732",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22732"
    },
    {
      "name": "CVE-2020-28895",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28895"
    },
    {
      "name": "CVE-2022-32520",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32520"
    },
    {
      "name": "CVE-2022-32525",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32525"
    },
    {
      "name": "CVE-2021-22698",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22698"
    },
    {
      "name": "CVE-2022-32521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32521"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-546",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-06-15T00:00:00.000000"
    },
    {
      "description": "Modification de la version des produits IGSS Data Server",
      "revision_date": "2022-06-23T00:00:00.000000"
    },
    {
      "description": "Mise \u00e0 jour du lien du bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-067-02 du 08 mars 2022.",
      "revision_date": "2022-08-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-067-02 du 08 mars 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-067-02_APC-Smart-UPS_Security_Notification_V6.0.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-07 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-07_CanBRASS_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-06 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-06_C-Bus_Home_Automation_Products_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-067-01 du 08 mars 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-067-01_EcoStruxure_Control_Expert_and_EcoStruxure_Process_Expert_Security_Notification_V2.0.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-02 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-02_Geo_SCADA_Android_App_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-08 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-08_Cybersecurity_Admin_Expert_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-012-02 du 12 janvier 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-012-02_EcoStruxure_Power_Build_Rapsody_Security_Notification_V2.0.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-04 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-04_%20StruxureWare_Data_Center_Expert_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-01 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-05 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-05_EcoStruxure_Power_Commission_Security_Notification.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-313-05 du 09 novembre 2021",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-313-05_Badalloc_Vulnerabilities_Security_Notification_V8.0.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-165-03 du 14 juin 2022",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-03_ConextCombox_Security_Notification.pdf"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-0223 (GCVE-0-2022-0223)

FKIE_CVE-2022-0223

GHSA-4636-45W3-PR9Q

GSD-2022-0223

CERTFR-2022-AVI-546

Solution

CERTFR-2022-AVI-546

Solution

Tags

Sightings

Nomenclature