nvd-json-data-feeds/CVE-2022/CVE-2022-21xx/CVE-2022-2155.json

{
  "id": "CVE-2022-2155",
  "sourceIdentifier": "cybersecurity@hitachienergy.com",
  "published": "2023-01-12T15:15:09.797",
  "lastModified": "2024-11-21T07:00:26.363",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n  *  Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad en las versiones afectadas de la funci\u00f3n User Asset Group de Lumada APM debido a un fallo en la implementaci\u00f3n del mecanismo de control de acceso en el \u201cLimited Engineer\u201d rol, otorg\u00e1ndole acceso a la caracter\u00edstica de informes integrados de Power BI. Un atacante que logre explotar la vulnerabilidad en Lumada APM de un cliente podr\u00eda acceder a informaci\u00f3n no autorizada obteniendo acceso no autorizado a cualquier informe de Power BI instalado por el cliente. Adem\u00e1s, la vulnerabilidad permite a un atacante manipular comentarios sobre problemas de activos, que no deber\u00edan estar disponibles para el atacante. Versiones afectadas: \n* Lumada APM versi\u00f3n local 6.0.0.0 - 6.4.0.* Lista de CPE: * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:* :*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:* :*:*:*:*:*:*"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "cybersecurity@hitachienergy.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2
      }
    ]
  },
  "weaknesses": [
    {
      "source": "cybersecurity@hitachienergy.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:hitachienergy:lumada_asset_performance_management:*:*:*:*:on-premises:*:*:*",
              "versionStartIncluding": "6.0.0.0",
              "versionEndExcluding": "6.4.0.1",
              "matchCriteriaId": "C7CCDA82-BE91-49C2-93DD-B21F2653BDDB"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch",
      "source": "cybersecurity@hitachienergy.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ]
    },
    {
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ]
    }
  ]
}