mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-06-19 17:32:41 +00:00
"-Synchronized-Data."
This commit is contained in:
CVE Team
parent
f606d04aa6
commit
5c6f2e6097
@ -60,7 +60,7 @@
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "A CWE-284: Improper Access Control vulnerability exists in Easergy T300 (with firmware 2.7 and older) that could cause a wide range of problems, including information exposure, denial of service, and command execution when access to a resource from an attacker is not restricted or incorrectly restricted."
|
||||
"value": "A CWE-306: Missing Authentication for Critical Function vulnerability exists in Easergy T300 (with firmware 2.7 and older) that could cause a wide range of problems, including information exposure, denial of service, and command execution when access to a resource from an attacker is not restricted or incorrectly restricted."
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@ -277,6 +277,21 @@
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"product_name": "ABB Ability\u2122 SCADAvantage",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": ">=",
|
||||
"version_value": "5.1"
|
||||
},
|
||||
{
|
||||
"version_affected": "<=",
|
||||
"version_value": "5.6.5"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
@ -292,7 +307,7 @@
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "For the Central Licensing Server component used in ABB products ABB Ability\u2122 System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability\u2122 System 800xA/ Advant\u00ae OCS Control Builder A 1.3 and 1.4, Advant\u00ae OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, a weakness in validation of input exists that allows an attacker to block license handling by sending specially crafted messages to the CLS web service."
|
||||
"value": "For the Central Licensing Server component used in ABB products ABB Ability\u2122 System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability\u2122 System 800xA/ Advant\u00ae OCS Control Builder A 1.3 and 1.4, Advant\u00ae OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5, a weakness in validation of input exists that allows an attacker to block license handling by sending specially crafted messages to the CLS web service."
|
||||
}
|
||||
]
|
||||
},
|
||||
@ -330,19 +345,19 @@
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"refsource": "CONFIRM",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
},
|
||||
{
|
||||
"refsource": "CONFIRM",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
"refsource": "MISC",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
},
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-154-04",
|
||||
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-154-04"
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
},
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=3CCA2020-003309&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=3CCA2020-003309&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
@ -277,6 +277,21 @@
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"product_name": "ABB Ability\u2122 SCADAvantage",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": ">=",
|
||||
"version_value": "5.1"
|
||||
},
|
||||
{
|
||||
"version_affected": "<=",
|
||||
"version_value": "5.6.5"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
@ -292,7 +307,7 @@
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "For the Central Licensing Server component used in ABB products ABB Ability\u2122 System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability\u2122 System 800xA/ Advant\u00ae OCS Control Builder A 1.3 and 1.4, Advant\u00ae OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, a weakness in validation of input exists that allows an attacker to alter licenses assigned to the system nodes by sending specially crafted messages to the CLS web service."
|
||||
"value": "For the Central Licensing Server component used in ABB products ABB Ability\u2122 System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability\u2122 System 800xA/ Advant\u00ae OCS Control Builder A 1.3 and 1.4, Advant\u00ae OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5, a weakness in validation of input exists that allows an attacker to alter licenses assigned to the system nodes by sending specially crafted messages to the CLS web service."
|
||||
}
|
||||
]
|
||||
},
|
||||
@ -330,19 +345,19 @@
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"refsource": "CONFIRM",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
},
|
||||
{
|
||||
"refsource": "CONFIRM",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
"refsource": "MISC",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
},
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-154-04",
|
||||
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-154-04"
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
},
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=3CCA2020-003309&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=3CCA2020-003309&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
@ -277,6 +277,21 @@
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"product_name": "ABB Ability\u2122 SCADAvantage",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": ">=",
|
||||
"version_value": "5.1"
|
||||
},
|
||||
{
|
||||
"version_affected": "<=",
|
||||
"version_value": "5.6.5"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
@ -292,7 +307,7 @@
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "For the Central Licensing Server component used in ABB products ABB Ability\u2122 System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability\u2122 System 800xA/ Advant\u00ae OCS Control Builder A 1.3 and 1.4, Advant\u00ae OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, an XML External Entity Injection vulnerability exists that allows an attacker to read or call arbitrary files from the license server and/or from the network and also block the license handling."
|
||||
"value": "For the Central Licensing Server component used in ABB products ABB Ability\u2122 System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability\u2122 System 800xA/ Advant\u00ae OCS Control Builder A 1.3 and 1.4, Advant\u00ae OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5. an XML External Entity Injection vulnerability exists that allows an attacker to read or call arbitrary files from the license server and/or from the network and also block the license handling."
|
||||
}
|
||||
]
|
||||
},
|
||||
@ -330,19 +345,19 @@
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"refsource": "CONFIRM",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
},
|
||||
{
|
||||
"refsource": "CONFIRM",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
"refsource": "MISC",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
},
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-154-04",
|
||||
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-154-04"
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
},
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"url": "https://search.abb.com/library/Download.aspx?DocumentID=3CCA2020-003309&LanguageCode=en&DocumentPartId=&Action=Launch",
|
||||
"name": "https://search.abb.com/library/Download.aspx?DocumentID=3CCA2020-003309&LanguageCode=en&DocumentPartId=&Action=Launch"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
||||
@ -1,18 +1,105 @@
|
||||
{
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ASSIGNER": "productsecurity@jci.com",
|
||||
"DATE_PUBLIC": "2022-10-25T21:14:00.000Z",
|
||||
"ID": "CVE-2021-36206",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"STATE": "PUBLIC",
|
||||
"TITLE": "CEVAS"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "CEVAS",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": "<",
|
||||
"version_name": "all versions prior to 1.01.46",
|
||||
"version_value": "1.01.46"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"vendor_name": "Johnson Controls"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"credit": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Christian Vierschilling and Caroline Moesler reported this vulnerability to Johnson Controls, Inc."
|
||||
}
|
||||
],
|
||||
"data_format": "MITRE",
|
||||
"data_type": "CVE",
|
||||
"data_version": "4.0",
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries."
|
||||
}
|
||||
]
|
||||
},
|
||||
"generator": {
|
||||
"engine": "Vulnogram 0.0.9"
|
||||
},
|
||||
"impact": {
|
||||
"cvss": {
|
||||
"attackComplexity": "LOW",
|
||||
"attackVector": "NETWORK",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 10,
|
||||
"baseSeverity": "CRITICAL",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "HIGH",
|
||||
"privilegesRequired": "NONE",
|
||||
"scope": "CHANGED",
|
||||
"userInteraction": "NONE",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
|
||||
"version": "3.1"
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
|
||||
},
|
||||
{
|
||||
"name": "ICS-CERT Advisory",
|
||||
"refsource": "CERT",
|
||||
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-05"
|
||||
}
|
||||
]
|
||||
},
|
||||
"solution": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Upgrade CEVAS to version 1.01.46. Contact CKS for the upgrade."
|
||||
}
|
||||
],
|
||||
"source": {
|
||||
"discovery": "EXTERNAL"
|
||||
}
|
||||
}
|
||||
@ -1,18 +1,116 @@
|
||||
{
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ASSIGNER": "ics-cert@hq.dhs.gov",
|
||||
"DATE_PUBLIC": "2021-10-05T19:14:00.000Z",
|
||||
"ID": "CVE-2021-38395",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"STATE": "PUBLIC",
|
||||
"TITLE": "Honeywell Experion PKS and ACE Controllers Injection"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Experion PKS",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "C200"
|
||||
},
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "C200E"
|
||||
},
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "C300"
|
||||
},
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "ACE controllers"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"vendor_name": "Honeywell"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"credit": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
|
||||
}
|
||||
],
|
||||
"data_format": "MITRE",
|
||||
"data_type": "CVE",
|
||||
"data_version": "4.0",
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition."
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"generator": {
|
||||
"engine": "Vulnogram 0.0.9"
|
||||
},
|
||||
"impact": {
|
||||
"cvss": {
|
||||
"attackComplexity": "LOW",
|
||||
"attackVector": "NETWORK",
|
||||
"availabilityImpact": "HIGH",
|
||||
"baseScore": 9.1,
|
||||
"baseSeverity": "CRITICAL",
|
||||
"confidentialityImpact": "NONE",
|
||||
"integrityImpact": "HIGH",
|
||||
"privilegesRequired": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"userInteraction": "NONE",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
|
||||
"version": "3.1"
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "CWE-74: Injection"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
|
||||
},
|
||||
{
|
||||
"name": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
|
||||
}
|
||||
]
|
||||
},
|
||||
"source": {
|
||||
"discovery": "EXTERNAL"
|
||||
},
|
||||
"work_around": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -1,18 +1,116 @@
|
||||
{
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ASSIGNER": "ics-cert@hq.dhs.gov",
|
||||
"DATE_PUBLIC": "2021-10-05T19:14:00.000Z",
|
||||
"ID": "CVE-2021-38397",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"STATE": "PUBLIC",
|
||||
"TITLE": "Honeywell Experion PKS and ACE Controllers Unrestricted Upload of File with Dangerous Type"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Experion PKS",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "C200"
|
||||
},
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "C200E"
|
||||
},
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "C300"
|
||||
},
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "ACE controllers"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"vendor_name": "Honeywell"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"credit": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
|
||||
}
|
||||
],
|
||||
"data_format": "MITRE",
|
||||
"data_type": "CVE",
|
||||
"data_version": "4.0",
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition."
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"generator": {
|
||||
"engine": "Vulnogram 0.0.9"
|
||||
},
|
||||
"impact": {
|
||||
"cvss": {
|
||||
"attackComplexity": "LOW",
|
||||
"attackVector": "NETWORK",
|
||||
"availabilityImpact": "HIGH",
|
||||
"baseScore": 10,
|
||||
"baseSeverity": "CRITICAL",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "HIGH",
|
||||
"privilegesRequired": "NONE",
|
||||
"scope": "CHANGED",
|
||||
"userInteraction": "NONE",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
|
||||
"version": "3.1"
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
|
||||
},
|
||||
{
|
||||
"name": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
|
||||
}
|
||||
]
|
||||
},
|
||||
"source": {
|
||||
"discovery": "EXTERNAL"
|
||||
},
|
||||
"work_around": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -1,18 +1,116 @@
|
||||
{
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ASSIGNER": "ics-cert@hq.dhs.gov",
|
||||
"DATE_PUBLIC": "2021-10-05T19:14:00.000Z",
|
||||
"ID": "CVE-2021-38399",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"STATE": "PUBLIC",
|
||||
"TITLE": "Honeywell Experion PKS and ACE Controllers Relative Path Traversal"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Experion PKS",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "C200"
|
||||
},
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "C200E"
|
||||
},
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "C300"
|
||||
},
|
||||
{
|
||||
"version_affected": "=",
|
||||
"version_value": "ACE controllers"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"vendor_name": "Honeywell"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"credit": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
|
||||
}
|
||||
],
|
||||
"data_format": "MITRE",
|
||||
"data_type": "CVE",
|
||||
"data_version": "4.0",
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories."
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"generator": {
|
||||
"engine": "Vulnogram 0.0.9"
|
||||
},
|
||||
"impact": {
|
||||
"cvss": {
|
||||
"attackComplexity": "LOW",
|
||||
"attackVector": "NETWORK",
|
||||
"availabilityImpact": "NONE",
|
||||
"baseScore": 7.5,
|
||||
"baseSeverity": "HIGH",
|
||||
"confidentialityImpact": "HIGH",
|
||||
"integrityImpact": "NONE",
|
||||
"privilegesRequired": "NONE",
|
||||
"scope": "UNCHANGED",
|
||||
"userInteraction": "NONE",
|
||||
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||||
"version": "3.1"
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "CWE-23: Relative Path Traversal"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
|
||||
},
|
||||
{
|
||||
"name": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf",
|
||||
"refsource": "CONFIRM",
|
||||
"url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
|
||||
}
|
||||
]
|
||||
},
|
||||
"source": {
|
||||
"discovery": "EXTERNAL"
|
||||
},
|
||||
"work_around": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -4,14 +4,58 @@
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ID": "CVE-2022-31678",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"ASSIGNER": "security@vmware.com",
|
||||
"STATE": "PUBLIC"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"vendor_name": "n/a",
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "VMware Cloud Foundation (NSX-V)",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_value": "3.11"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "VMware Cloud Foundation contains an XML External Entity (XXE)"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"name": "https://www.vmware.com/security/advisories/VMSA-2022-0027.html",
|
||||
"url": "https://www.vmware.com/security/advisories/VMSA-2022-0027.html"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure."
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@ -1,17 +1,98 @@
|
||||
{
|
||||
"data_version": "4.0",
|
||||
"data_type": "CVE",
|
||||
"data_format": "MITRE",
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ID": "CVE-2022-33859",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"ASSIGNER": "CybersecurityCOE@eaton.com",
|
||||
"STATE": "PUBLIC"
|
||||
},
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation\u2019s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature. This vulnerability is present in versions 4.x, 5.x, 6.x & 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported. Customers are advised to update the software to the latest version (v7.6). Foreseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please refer to the End-of-Support notification https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html ."
|
||||
}
|
||||
]
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "CWE-434 Unrestricted Upload of File",
|
||||
"cweId": "CWE-434"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"vendor_name": "Eaton",
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Foreseer EPMS",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_value": "7.0",
|
||||
"version_affected": "="
|
||||
},
|
||||
{
|
||||
"version_value": "4.0",
|
||||
"version_affected": "="
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"url": "https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html",
|
||||
"refsource": "MISC",
|
||||
"name": "https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html"
|
||||
}
|
||||
]
|
||||
},
|
||||
"generator": {
|
||||
"engine": "Vulnogram 0.1.0-dev"
|
||||
},
|
||||
"source": {
|
||||
"advisory": "ETN",
|
||||
"discovery": "EXTERNAL"
|
||||
},
|
||||
"credits": [
|
||||
{
|
||||
"lang": "en",
|
||||
"value": "Michael"
|
||||
}
|
||||
],
|
||||
"impact": {
|
||||
"cvss": [
|
||||
{
|
||||
"attackComplexity": "LOW",
|
||||
"attackVector": "LOCAL",
|
||||
"availabilityImpact": "HIGH",
|
||||
"baseScore": 8.1,
|
||||
"baseSeverity": "HIGH",
|
||||
"confidentialityImpact": "LOW",
|
||||
"integrityImpact": "HIGH",
|
||||
"privilegesRequired": "LOW",
|
||||
"scope": "CHANGED",
|
||||
"userInteraction": "REQUIRED",
|
||||
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H",
|
||||
"version": "3.1"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@ -4,14 +4,67 @@
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ID": "CVE-2022-37913",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"ASSIGNER": "security-alert@hpe.com",
|
||||
"STATE": "PUBLIC"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"vendor_name": "n/a",
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_value": "Orchestrator 9.1.2.40051 and below"
|
||||
},
|
||||
{
|
||||
"version_value": "Orchestrator 9.0.7.40108 and below"
|
||||
},
|
||||
{
|
||||
"version_value": "Orchestrator 8.10.23.40009 and below"
|
||||
},
|
||||
{
|
||||
"version_value": "Any older branches of Orchestrator not specifically mentioned"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Remote Authentication Bypass"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"name": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt",
|
||||
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "Vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to bypass authentication. Successful exploitation of these vulnerabilities could allow an attacker to gain administrative privileges leading to a complete compromise of the Aruba EdgeConnect Enterprise Orchestrator with versions 9.1.2.40051 and below, 9.0.7.40108 and below, 8.10.23.40009 and below, and any older branches of Orchestrator not specifically mentioned."
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@ -4,14 +4,67 @@
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ID": "CVE-2022-37914",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"ASSIGNER": "security-alert@hpe.com",
|
||||
"STATE": "PUBLIC"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"vendor_name": "n/a",
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_value": "Orchestrator 9.1.2.40051 and below"
|
||||
},
|
||||
{
|
||||
"version_value": "Orchestrator 9.0.7.40108 and below"
|
||||
},
|
||||
{
|
||||
"version_value": "Orchestrator 8.10.23.40009 and below"
|
||||
},
|
||||
{
|
||||
"version_value": "Any older branches of Orchestrator not specifically mentioned"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Remote Authentication Bypass"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"name": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt",
|
||||
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "Vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to bypass authentication. Successful exploitation of these vulnerabilities could allow an attacker to gain administrative privileges leading to a complete compromise of the Aruba EdgeConnect Enterprise Orchestrator with versions 9.1.2.40051 and below, 9.0.7.40108 and below, 8.10.23.40009 and below, and any older branches of Orchestrator not specifically mentioned."
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@ -4,14 +4,58 @@
|
||||
"data_version": "4.0",
|
||||
"CVE_data_meta": {
|
||||
"ID": "CVE-2022-37915",
|
||||
"ASSIGNER": "cve@mitre.org",
|
||||
"STATE": "RESERVED"
|
||||
"ASSIGNER": "security-alert@hpe.com",
|
||||
"STATE": "PUBLIC"
|
||||
},
|
||||
"affects": {
|
||||
"vendor": {
|
||||
"vendor_data": [
|
||||
{
|
||||
"vendor_name": "n/a",
|
||||
"product": {
|
||||
"product_data": [
|
||||
{
|
||||
"product_name": "Aruba EdgeConnect Enterprise Orchestrator (on-premises)",
|
||||
"version": {
|
||||
"version_data": [
|
||||
{
|
||||
"version_value": "9.1.x branch only, Any 9.1.x Orchestrator instantiated as a new machine with a release prior to 9.1.3.40197, Orchestrators upgraded to 9.1.x were not affected."
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"problemtype": {
|
||||
"problemtype_data": [
|
||||
{
|
||||
"description": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "Remote Arbitrary Code Execution"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"references": {
|
||||
"reference_data": [
|
||||
{
|
||||
"refsource": "MISC",
|
||||
"name": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt",
|
||||
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": {
|
||||
"description_data": [
|
||||
{
|
||||
"lang": "eng",
|
||||
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
|
||||
"value": "A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to a complete system compromise of Aruba EdgeConnect Enterprise Orchestration with versions 9.1.x branch only, Any 9.1.x Orchestrator instantiated as a new machine with a release prior to 9.1.3.40197, Orchestrators upgraded to 9.1.x were not affected."
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user