cve-2022-41668
Vulnerability from cvelistv5
Published
2022-11-04 00:00
Modified
2024-08-03 12:49
Severity ?
EPSS score ?
Summary
A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user privileges to load a project file from an adversary-controlled network share which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cybersecurity@se.com | https://www.se.com/ww/en/download/document/SEVD-2022-284-01/ | Patch, Vendor Advisory |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EcoStruxure Operator Terminal Expert",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
},
{
"product": "Pro-face BLUE",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "Hotfix 1",
"status": "affected",
"version": "V3.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user privileges to load a project file from an adversary-controlled network share which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-704",
"description": "CWE-704 Incorrect Type Conversion or Cast",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-04T00:00:00",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2022-41668",
"datePublished": "2022-11-04T00:00:00",
"dateReserved": "2022-09-27T00:00:00",
"dateUpdated": "2024-08-03T12:49:43.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-41668\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2022-11-04T12:15:20.540\",\"lastModified\":\"2022-11-05T02:02:55.973\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A CWE-704: Incorrect Project Conversion vulnerability exists that allows adversaries with local user privileges to load a project file from an adversary-controlled network share which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad CWE-704: Conversi\u00f3n de Proyecto Incorrecta que permite a adversarios con privilegios de usuario local cargar un archivo de proyecto desde un recurso compartido de red controlado por el adversario, lo que podr\u00eda resultar en la ejecuci\u00f3n de c\u00f3digo malicioso. Productos afectados: EcoStruxure Operator Terminal Expert (V3.3 Hotfix 1 o anterior), Pro-face BLUE (V3.3 Hotfix 1 o anterior).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"cybersecurity@se.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-704\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.3\",\"matchCriteriaId\":\"5705916B-E189-4314-AD32-C8D42991DFA2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5585436E-9363-4730-9AF5-CE705093E664\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:hf1:*:*:*:*:*:*\",\"matchCriteriaId\":\"1495D2CA-263C-4B9F-9C4F-A1DCA574743E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.3\",\"matchCriteriaId\":\"297C4149-AA1F-4033-BD74-0FB908783399\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:pro-face_blue:3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5B593005-BB3F-439A-AF38-F31AFEF6FCB9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:pro-face_blue:3.3:hf1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3D36B2C-AA16-4E42-90AF-DE40D6527D23\"}]}]}],\"references\":[{\"url\":\"https://www.se.com/ww/en/download/document/SEVD-2022-284-01/\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.