CVE-2022-47557 (GCVE-0-2022-47557)
Vulnerability from cvelistv5 – Published: 2023-09-19 12:54 – Updated: 2024-08-03 14:55 Unsupported When Assigned
VLAI?
Title
Use of Password Hash With Insufficient Computational Effort in Ormazabal products
Summary
Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions.
Severity ?
6.1 (Medium)
CWE
- CWE-916 - Use of Password Hash With Insufficient Computational Effort
Assigner
References
Impacted products
Date Public ?
2023-08-22 10:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-47557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-11T19:20:00.767578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T19:20:07.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:55:08.383Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ekorCCP",
"vendor": "Ormazabal",
"versions": [
{
"status": "affected",
"version": "601j"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ekorRCI",
"vendor": "Ormazabal",
"versions": [
{
"status": "affected",
"version": "601j"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jacinto Moral Matell\u00e1n"
}
],
"datePublic": "2023-08-22T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions."
}
],
"value": "Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-19T12:54:52.788Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Ormazabal recommends upgrading to updated models."
}
],
"value": "Ormazabal recommends upgrading to updated models."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Use of Password Hash With Insufficient Computational Effort in Ormazabal products",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2022-47557",
"datePublished": "2023-09-19T12:54:52.788Z",
"dateReserved": "2022-12-19T16:35:50.461Z",
"dateUpdated": "2024-08-03T14:55:08.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-47557",
"date": "2026-04-26",
"epss": "0.00035",
"percentile": "0.10129"
},
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ormazabal:ekorrci_firmware:601j:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"34615054-34DD-469E-80FC-F5C3F74850AC\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:ormazabal:ekorrci:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C5E73387-2229-4A85-A3A7-A0A2C1D74EA6\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ormazabal:ekorccp_firmware:601j:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3A8F0358-F8FA-4AEB-B88E-C56E2E965B7B\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:ormazabal:ekorccp:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"77B2D423-E767-495C-93C7-4C4B724BE3E3\"}]}]}]",
"cveTags": "[{\"sourceIdentifier\": \"cve-coordination@incibe.es\", \"tags\": [\"unsupported-when-assigned\"]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions.\"}, {\"lang\": \"es\", \"value\": \"** NO COMPATIBLE CUANDO EST\\u00c1 ASIGNADO ** Vulnerabilidad en ekorCCP y ekorRCI que podr\\u00eda permitir a un atacante con acceso a la red donde se encuentra el dispositivo descifrar las credenciales de usuarios privilegiados, y posteriormente acceder al sistema para realizar acciones maliciosas.\"}]",
"id": "CVE-2022-47557",
"lastModified": "2024-11-21T07:32:11.367",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cve-coordination@incibe.es\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 4.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 4.2}]}",
"published": "2023-09-19T13:16:20.843",
"references": "[{\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products\", \"source\": \"cve-coordination@incibe.es\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"cve-coordination@incibe.es\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-916\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-916\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-47557\",\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"published\":\"2023-09-19T13:16:20.843\",\"lastModified\":\"2024-11-21T07:32:11.367\",\"vulnStatus\":\"Modified\",\"cveTags\":[{\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"tags\":[\"unsupported-when-assigned\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions.\"},{\"lang\":\"es\",\"value\":\"** NO COMPATIBLE CUANDO EST\u00c1 ASIGNADO ** Vulnerabilidad en ekorCCP y ekorRCI que podr\u00eda permitir a un atacante con acceso a la red donde se encuentra el dispositivo descifrar las credenciales de usuarios privilegiados, y posteriormente acceder al sistema para realizar acciones maliciosas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-916\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-916\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ormazabal:ekorrci_firmware:601j:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"34615054-34DD-469E-80FC-F5C3F74850AC\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ormazabal:ekorrci:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5E73387-2229-4A85-A3A7-A0A2C1D74EA6\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ormazabal:ekorccp_firmware:601j:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A8F0358-F8FA-4AEB-B88E-C56E2E965B7B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ormazabal:ekorccp:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"77B2D423-E767-495C-93C7-4C4B724BE3E3\"}]}]}],\"references\":[{\"url\":\"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products\",\"source\":\"cve-coordination@incibe.es\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T14:55:08.383Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-47557\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-11T19:20:00.767578Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-11T19:20:04.364Z\"}}], \"cna\": {\"tags\": [\"unsupported-when-assigned\"], \"title\": \"Use of Password Hash With Insufficient Computational Effort in Ormazabal products\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Jacinto Moral Matell\\u00e1n\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Ormazabal\", \"product\": \"ekorCCP\", \"versions\": [{\"status\": \"affected\", \"version\": \"601j\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Ormazabal\", \"product\": \"ekorRCI\", \"versions\": [{\"status\": \"affected\", \"version\": \"601j\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Ormazabal recommends upgrading to updated models.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Ormazabal recommends upgrading to updated models.\", \"base64\": false}]}], \"datePublic\": \"2023-08-22T10:00:00.000Z\", \"references\": [{\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Vulnerability in ekorCCP and ekorRCI that could allow an attacker with access to the network where the device is located to decrypt the credentials of privileged users, and subsequently gain access to the system to perform malicious actions.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-916\", \"description\": \"CWE-916 Use of Password Hash With Insufficient Computational Effort\"}]}], \"providerMetadata\": {\"orgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"shortName\": \"INCIBE\", \"dateUpdated\": \"2023-09-19T12:54:52.788Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-47557\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-03T14:55:08.383Z\", \"dateReserved\": \"2022-12-19T16:35:50.461Z\", \"assignerOrgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"datePublished\": \"2023-09-19T12:54:52.788Z\", \"assignerShortName\": \"INCIBE\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…