cvelistv5 - cve-2022-41663

▼	URL	Tags
	productcert@siemens.com	https://cert-portal.siemens.com/productcert/pdf/ssa-120378.pdf	Vendor Advisory

▼	Vendor	Product
	Siemens	JT2Go
	Siemens	Teamcenter Visualization V13.2
	Siemens	Teamcenter Visualization V13.3
	Siemens	Teamcenter Visualization V14.0
	Siemens	Teamcenter Visualization V14.1

var-202211-0309

Vulnerability from variot

A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.2 (All versions < V13.2.0.12), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process. Siemens' JT2Go and Teamcenter Visualization Exists in a vulnerability related to the use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202211-0309",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "jt2go",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "14.1.0.4"
      },
      {
        "model": "teamcenter visualization",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "13.3.0.7"
      },
      {
        "model": "teamcenter visualization",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "14.1"
      },
      {
        "model": "teamcenter visualization",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "14.1.0.4"
      },
      {
        "model": "teamcenter visualization",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "14.0"
      },
      {
        "model": "teamcenter visualization",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "13.3.0"
      },
      {
        "model": "teamcenter visualization",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "14.0.0.3"
      },
      {
        "model": "teamcenter visualization",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30fc\u30e1\u30f3\u30b9",
        "version": null
      },
      {
        "model": "jt2go",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30b7\u30fc\u30e1\u30f3\u30b9",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-41663"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:siemens:jt2go:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.1.0.4",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.3.0.7",
                "versionStartIncluding": "13.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.0.0.3",
                "versionStartIncluding": "14.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.1.0.4",
                "versionStartIncluding": "14.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-41663"
      }
    ]
  },
  "cve": "CVE-2022-41663",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Local",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2022-41663",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2022-41663",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "productcert@siemens.com",
            "id": "CVE-2022-41663",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202211-2314",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-41663"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-41663"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-2314"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A vulnerability has been identified in JT2Go (All versions \u003c  V14.1.0.4), Teamcenter Visualization V13.2 (All versions \u003c V13.2.0.12), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.7), Teamcenter Visualization V14.0 (All versions \u003c V14.0.0.3), Teamcenter Visualization V14.1 (All versions \u003c V14.1.0.4). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process. Siemens\u0027 JT2Go and Teamcenter Visualization Exists in a vulnerability related to the use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-41663"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      }
    ],
    "trust": 1.62
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2022-41663",
        "trust": 3.2
      },
      {
        "db": "SIEMENS",
        "id": "SSA-120378",
        "trust": 2.4
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-22-314-09",
        "trust": 0.8
      },
      {
        "db": "JVN",
        "id": "JVNVU93762879",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-022823",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-2314",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-41663"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-2314"
      }
    ]
  },
  "id": "VAR-202211-0309",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.15799868
  },
  "last_update_date": "2023-12-18T10:53:12.291000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Siemens JT2Go  and Teamcenter Remediation of resource management error vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=213368"
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-2314"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-416",
        "trust": 1.0
      },
      {
        "problemtype": "Use of freed memory (CWE-416) [NVD evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-41663"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-120378.pdf"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu93762879/"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-41663"
      },
      {
        "trust": 0.8,
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-314-09"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2022-41663/"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-41663"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-2314"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-41663"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-2314"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-11-21T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      },
      {
        "date": "2022-11-08T11:15:11.753000",
        "db": "NVD",
        "id": "CVE-2022-41663"
      },
      {
        "date": "2022-11-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202211-2314"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-11-21T01:47:00",
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      },
      {
        "date": "2023-06-13T09:15:15.243000",
        "db": "NVD",
        "id": "CVE-2022-41663"
      },
      {
        "date": "2023-06-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202211-2314"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-2314"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Siemens\u0027 \u00a0JT2Go\u00a0 and \u00a0Teamcenter\u00a0Visualization\u00a0 Vulnerability in using free memory in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-022823"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "resource management error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-2314"
      }
    ],
    "trust": 0.6
  }
}

ghsa-fv7q-rvfh-pg5h

Vulnerability from github

Published

2022-11-08 12:00

Modified

2022-11-08 19:00

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-41663"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-08T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in JT2Go (All versions \u003c V14.1.0.4), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.7), Teamcenter Visualization V14.0 (All versions \u003c V14.0.0.3), Teamcenter Visualization V14.1 (All versions \u003c V14.1.0.4). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process.",
  "id": "GHSA-fv7q-rvfh-pg5h",
  "modified": "2022-11-08T19:00:22Z",
  "published": "2022-11-08T12:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41663"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-120378.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

icsa-22-314-09

Vulnerability from csaf_cisa

Published

2022-11-10 00:00

Modified

2022-12-15 00:00

Summary

Siemens Teamcenter Visualization and JT2Go

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the current process.

Critical infrastructure sectors

Critical Manufacturing

Countries/areas deployed

Worldwide

Company headquarters location

Germany

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Additional Resources

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

Exploitability

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Nafiez",
          "Michael Heinzl"
        ],
        "summary": "reporting these vulnerabilities to Siemens"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the current process.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Critical Manufacturing",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Germany",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
        "title": "Additional Resources"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SSA-120378: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go - CSAF Version",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-120378.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-22-314-09 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-314-09.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-22-314-09 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-314-09"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-314-09"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "SSA-120378: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go - PDF Version",
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-120378.pdf"
      },
      {
        "category": "external",
        "summary": "SSA-120378: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go - TXT Version",
        "url": "https://cert-portal.siemens.com/productcert/txt/ssa-120378.txt"
      }
    ],
    "title": "Siemens Teamcenter Visualization and JT2Go",
    "tracking": {
      "current_release_date": "2022-12-15T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-22-314-09",
      "initial_release_date": "2022-11-10T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2022-11-10T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Siemens Teamcenter Visualization and JT2Go (Update A)"
        },
        {
          "date": "2022-12-15T00:00:00.000000Z",
          "legacy_version": "A",
          "number": "2",
          "summary": "Siemens Teamcenter Visualization and JT2Go (Update A)"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c  V14.1.0.4",
                "product": {
                  "name": "JT2Go",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "JT2Go"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c V13.3.0.7",
                "product": {
                  "name": "Teamcenter Visualization V13.3",
                  "product_id": "CSAFPID-0002"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003e= V13.3.0.7 \u003c V13.3.0.8",
                "product": {
                  "name": "Teamcenter Visualization V13.3",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Teamcenter Visualization V13.3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c V14.0.0.3",
                "product": {
                  "name": "Teamcenter Visualization V14.0",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "Teamcenter Visualization V14.0"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c V14.1.0.4",
                "product": {
                  "name": "Teamcenter Visualization V14.1",
                  "product_id": "CSAFPID-0005"
                }
              }
            ],
            "category": "product_name",
            "name": "Teamcenter Visualization V14.1"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-39136",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected application is vulnerable to fixed-length heap-based buffer while parsing specially crafted TIF files. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2022-39136 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "nvd.nist.gov",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39136"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted CGM, TIF or PDF files in JT2Go and Teamcenter Visualization",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V13.3.0.7 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.0.0.3 or later version",
          "product_ids": [
            "CSAFPID-0004"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0005"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V13.3.0.8 or later version",
          "product_ids": [
            "CSAFPID-0003"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "mitigation",
          "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: \nhttps://www.siemens.com/industrialsecurity",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "title": "CVE-2022-39136"
    },
    {
      "cve": "CVE-2022-41660",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected products contain an out of bounds write vulnerability when parsing a CGM file. An attacker can leverage this vulnerability to execute code in the context of the current process. CVE-2022-41660 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0004",
          "CSAFPID-0005"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "nvd.nist.gov",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41660"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted CGM, TIF or PDF files in JT2Go and Teamcenter Visualization",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V13.3.0.7 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.0.0.3 or later version",
          "product_ids": [
            "CSAFPID-0004"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0005"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html"
        },
        {
          "category": "mitigation",
          "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: \nhttps://www.siemens.com/industrialsecurity",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "title": "CVE-2022-41660"
    },
    {
      "cve": "CVE-2022-41661",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected products contain an out of bounds read vulnerability when parsing a CGM file. An attacker can leverage this vulnerability to execute code in the context of the current process. CVE-2022-41661 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0004",
          "CSAFPID-0005"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "nvd.nist.gov",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41661"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted CGM, TIF or PDF files in JT2Go and Teamcenter Visualization",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V13.3.0.7 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.0.0.3 or later version",
          "product_ids": [
            "CSAFPID-0004"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0005"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html"
        },
        {
          "category": "mitigation",
          "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: \nhttps://www.siemens.com/industrialsecurity",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "title": "CVE-2022-41661"
    },
    {
      "cve": "CVE-2022-41662",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected products contain an out of bounds read vulnerability when parsing a CGM file. An attacker can leverage this vulnerability to execute code in the context of the current process. CVE-2022-41662 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0004",
          "CSAFPID-0005"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "nvd.nist.gov",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41662"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted CGM, TIF or PDF files in JT2Go and Teamcenter Visualization",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V13.3.0.7 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.0.0.3 or later version",
          "product_ids": [
            "CSAFPID-0004"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0005"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html"
        },
        {
          "category": "mitigation",
          "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: \nhttps://www.siemens.com/industrialsecurity",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "title": "CVE-2022-41662"
    },
    {
      "cve": "CVE-2022-41663",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2022-41663 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0004",
          "CSAFPID-0005"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "nvd.nist.gov",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41663"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted CGM, TIF or PDF files in JT2Go and Teamcenter Visualization",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V13.3.0.7 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.0.0.3 or later version",
          "product_ids": [
            "CSAFPID-0004"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0005"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html"
        },
        {
          "category": "mitigation",
          "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: \nhttps://www.siemens.com/industrialsecurity",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "title": "CVE-2022-41663"
    },
    {
      "cve": "CVE-2022-41664",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected application contains a stack-based buffer overflow vulnerability that could be triggered while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process. CVE-2022-41664 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0004",
          "CSAFPID-0005"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "nvd.nist.gov",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41664"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted CGM, TIF or PDF files in JT2Go and Teamcenter Visualization",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V13.3.0.7 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.0.0.3 or later version",
          "product_ids": [
            "CSAFPID-0004"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0005"
          ],
          "url": "https://support.sw.siemens.com/"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.1.0.4 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html"
        },
        {
          "category": "mitigation",
          "details": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: \nhttps://www.siemens.com/industrialsecurity",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0004",
            "CSAFPID-0005"
          ]
        }
      ],
      "title": "CVE-2022-41664"
    }
  ]
}

gsd-2022-41663

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.2 (All versions < V13.2.0.12), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process.

Aliases

CVE-2022-41663

Aliases

CVE-2022-41663

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-41663",
    "id": "GSD-2022-41663"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-41663"
      ],
      "details": "A vulnerability has been identified in JT2Go (All versions \u003c  V14.1.0.4), Teamcenter Visualization V13.2 (All versions \u003c V13.2.0.12), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.7), Teamcenter Visualization V14.0 (All versions \u003c V14.0.0.3), Teamcenter Visualization V14.1 (All versions \u003c V14.1.0.4). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process.",
      "id": "GSD-2022-41663",
      "modified": "2023-12-13T01:19:32.593253Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "productcert@siemens.com",
        "ID": "CVE-2022-41663",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "JT2Go",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u003c  V14.1.0.4"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Teamcenter Visualization V13.2",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u003c V13.2.0.12"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Teamcenter Visualization V13.3",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u003c V13.3.0.7"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Teamcenter Visualization V14.0",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u003c V14.0.0.3"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Teamcenter Visualization V14.1",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u003c V14.1.0.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Siemens"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability has been identified in JT2Go (All versions \u003c  V14.1.0.4), Teamcenter Visualization V13.2 (All versions \u003c V13.2.0.12), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.7), Teamcenter Visualization V14.0 (All versions \u003c V14.0.0.3), Teamcenter Visualization V14.1 (All versions \u003c V14.1.0.4). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-416",
                "lang": "eng",
                "value": "CWE-416: Use After Free"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-120378.pdf",
            "refsource": "MISC",
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-120378.pdf"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:siemens:jt2go:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.1.0.4",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "13.3.0.7",
                "versionStartIncluding": "13.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.0.0.3",
                "versionStartIncluding": "14.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.1.0.4",
                "versionStartIncluding": "14.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "productcert@siemens.com",
          "ID": "CVE-2022-41663"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in JT2Go (All versions \u003c  V14.1.0.4), Teamcenter Visualization V13.2 (All versions \u003c V13.2.0.12), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.7), Teamcenter Visualization V14.0 (All versions \u003c V14.0.0.3), Teamcenter Visualization V14.1 (All versions \u003c V14.1.0.4). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-416"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-120378.pdf",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-120378.pdf"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-06-13T09:15Z",
      "publishedDate": "2022-11-08T11:15Z"
    }
  }
}

Action not permitted

cve-2022-41663

Vulnerability from cvelistv5

var-202211-0309

Vulnerability from variot

ghsa-fv7q-rvfh-pg5h

Vulnerability from github

icsa-22-314-09

Vulnerability from csaf_cisa

gsd-2022-41663

Vulnerability from gsd

Tags