CVE-2022-0010 - OpenCVE

Insertion of Sensitive Information into Log File vulnerability in ABB QCS 800xA, ABB QCS AC450, ABB Platform Engineering Tools. An attacker, who already has local access to the QCS nodes, could successfully obtain the password for a system user account. Using this information, the attacker could have the potential to exploit this vulnerability to gain control of system nodes. This issue affects QCS 800xA: from 1.0;0 through 6.1SP2; QCS AC450: from 1.0;0 through 5.1SP2; Platform Engineering Tools: from 1.0:0 through 2.3.0.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Abb	Qcs 800xa Firmware Qcs Ac450 Qcs Ac450 Firmware Qcs 800xa Platform Engineering Tools

Configuration 1 [-]

cpe:2.3:a:abb:platform_engineering_tools:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:o:abb:qcs_800xa_firmware::::::::
	cpe:2.3:o:abb:qcs_800xa_firmware:5.1.0:sp2::::::

cpe:2.3:h:abb:qcs_800xa:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

OR	cpe:2.3:o:abb:qcs_ac450_firmware::::::::
	cpe:2.3:o:abb:qcs_ac450_firmware:6.1.0:sp2::::::

cpe:2.3:h:abb:qcs_ac450:-:*:*:*:*:*:*:*

References

Link	Resource
https://search.abb.com/library/Download.aspx?DocumentID=3BUS221709&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.108646530.1437951308.1684739395-1142547495.1678209228	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ABB

Published: 2023-05-22T07:22:51.662Z

Updated: 2023-05-22T07:22:51.662Z

Reserved: 2021-12-13T11:17:36.576Z

Link: CVE-2022-0010

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-05-22T08:15:08.920

Modified: 2023-06-01T15:20:31.870

Link: CVE-2022-0010

JSON object: View

Redhat Information

No data.

CWE

CWE-532

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-0010", "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "state": "PUBLISHED", "assignerShortName": "ABB", "dateReserved": "2021-12-13T11:17:36.576Z", "datePublished": "2023-05-22T07:22:51.662Z", "dateUpdated": "2023-05-22T07:22:51.662Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QCS 800xA", "vendor": "ABB", "versions": [{"lessThanOrEqual": "6.1SP2", "status": "affected", "version": "1.0;0", "versionType": "patch"}]}, {"defaultStatus": "unaffected", "product": "QCS AC450", "vendor": "ABB", "versions": [{"lessThanOrEqual": "5.1SP2", "status": "affected", "version": "1.0;0", "versionType": "patch"}]}, {"defaultStatus": "unaffected", "product": "Platform Engineering Tools", "vendor": "ABB", "versions": [{"lessThanOrEqual": "2.3.0", "status": "affected", "version": "1.0:0", "versionType": "patch"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information into Log File vulnerability in ABB QCS 800xA, ABB QCS AC450, ABB Platform Engineering Tools.<br>\n\n<span style=\"background-color: rgb(255, 255, 255);\">An attacker, who already has local access to the QCS nodes, could successfully obtain the password for a system user account. Using this information, the attacker could have the potential to exploit this vulnerability to gain control of system nodes. </span>\n\n<p>This issue affects QCS 800xA: from 1.0;0 through 6.1SP2; QCS AC450: from 1.0;0 through 5.1SP2; Platform Engineering Tools: from 1.0:0 through 2.3.0.</p>"}], "value": "Insertion of Sensitive Information into Log File vulnerability in ABB QCS 800xA, ABB QCS AC450, ABB Platform Engineering Tools.\n\n\nAn attacker, who already has local access to the QCS nodes, could successfully obtain the password for a system user account. Using this information, the attacker could have the potential to exploit this vulnerability to gain control of system nodes. \n\nThis issue affects QCS 800xA: from 1.0;0 through 6.1SP2; QCS AC450: from 1.0;0 through 5.1SP2; Platform Engineering Tools: from 1.0:0 through 2.3.0.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB", "dateUpdated": "2023-05-22T07:22:51.662Z"}, "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=3BUS221709&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.108646530.1437951308.1684739395-1142547495.1678209228"}], "source": {"discovery": "UNKNOWN"}, "title": "QCS 800xA Vulnerability identified in system log files", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:platform_engineering_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0469275-C1B5-45EE-B4A9-DE1F500E04C6", "versionEndIncluding": "2.3.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:abb:qcs_800xa_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F25CD2B4-140C-49C4-BEBD-9021CAD12FE9", "versionEndIncluding": "5.1.0", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:abb:qcs_800xa_firmware:5.1.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "32217B3E-F886-48A1-8987-A92DA4E54A9A", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:abb:qcs_800xa:-:*:*:*:*:*:*:*", "matchCriteriaId": "44BDFBF8-88D6-45D9-965F-85CFD002F316", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:abb:qcs_ac450_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "24106F4D-2DF1-417E-9FF1-DD212E1F6F27", "versionEndIncluding": "6.1.0", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:abb:qcs_ac450_firmware:6.1.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "03FA9720-A525-4F4B-9486-C346C258B4DE", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:abb:qcs_ac450:-:*:*:*:*:*:*:*", "matchCriteriaId": "79CCB4FA-2651-4E96-925F-772E3EAFA593", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information into Log File vulnerability in ABB QCS 800xA, ABB QCS AC450, ABB Platform Engineering Tools.\n\n\nAn attacker, who already has local access to the QCS nodes, could successfully obtain the password for a system user account. Using this information, the attacker could have the potential to exploit this vulnerability to gain control of system nodes. \n\nThis issue affects QCS 800xA: from 1.0;0 through 6.1SP2; QCS AC450: from 1.0;0 through 5.1SP2; Platform Engineering Tools: from 1.0:0 through 2.3.0.\n\n"}], "id": "CVE-2022-0010", "lastModified": "2023-06-01T15:20:31.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}, "published": "2023-05-22T08:15:08.920", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=3BUS221709&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.108646530.1437951308.1684739395-1142547495.1678209228"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}