CVE-2022-0835 - OpenCVE

AVEVA System Platform 2020 stores sensitive information in cleartext, which may allow access to an attacker or a low-privileged user.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Aveva	System Platform

Configuration 1 [-]

OR	cpe:2.3:a:aveva:system_platform:2020:-::::::
	cpe:2.3:a:aveva:system_platform:2020:r2_patch01::::::
	cpe:2.3:a:aveva:system_platform:2020:r2s::::::

References

Link	Resource
https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-007.pdf	Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-02	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2022-04-11T19:38:30

Updated: 2022-04-11T19:38:30

Reserved: 2022-03-02T00:00:00

Link: CVE-2022-0835

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-11T20:15:16.540

Modified: 2022-04-18T13:42:31.147

Link: CVE-2022-0835

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "AVEVA System Platform", "vendor": "AVEVA", "versions": [{"status": "affected", "version": "5.59 2020 R2 P01"}, {"status": "affected", "version": "2020 R2S"}, {"status": "affected", "version": "2020"}]}], "credits": [{"lang": "en", "value": "Noam Moshe of Claroty and Ilya Karpov, Evgeniy Druzhinin, and Konstantin Kondratev of Rostelecom-Solar reported this vulnerability to AVEVA."}], "descriptions": [{"lang": "en", "value": "AVEVA System Platform 2020 stores sensitive information in cleartext, which may allow access to an attacker or a low-privileged user."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-316", "description": "CWE-316: Cleartext Storage of Sensitive Information in Memory", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-11T19:38:30", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-02"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-007.pdf"}], "solutions": [{"lang": "en", "value": "AVEVA recommends users of affected versions upgrade to one of the versions listed below and apply the corresponding security update:\n\u2022\tAVEVA System Platform 2020 R2 P01 and AVEVA System Platform 2020 R2: update to AVEVA System Platform 2020 R2 SP1\n\u2022\tAVEVA System Platform 2020: update to AVEVA System Platform 2020 P01\n\nFor more information on this issue, including security updates, please see Security Bulletin AVEVA-2021-007\n"}], "source": {"advisory": "ICSA-22-067-02", "discovery": "EXTERNAL"}, "title": "AVEVA System Platform Cleartext Storage of Sensitive Information in Memory", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-0835", "STATE": "PUBLIC", "TITLE": "AVEVA System Platform Cleartext Storage of Sensitive Information in Memory"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "AVEVA System Platform", "version": {"version_data": [{"version_affected": "=", "version_name": "5.59", "version_value": "2020 R2 P01"}, {"version_value": "2020 R2S"}, {"version_value": "2020"}]}}]}, "vendor_name": "AVEVA"}]}}, "credit": [{"lang": "eng", "value": "Noam Moshe of Claroty and Ilya Karpov, Evgeniy Druzhinin, and Konstantin Kondratev of Rostelecom-Solar reported this vulnerability to AVEVA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "AVEVA System Platform 2020 stores sensitive information in cleartext, which may allow access to an attacker or a low-privileged user."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-316: Cleartext Storage of Sensitive Information in Memory"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-02", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-02"}, {"name": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-007.pdf", "refsource": "CONFIRM", "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-007.pdf"}]}, "solution": [{"lang": "en", "value": "AVEVA recommends users of affected versions upgrade to one of the versions listed below and apply the corresponding security update:\n\u2022\tAVEVA System Platform 2020 R2 P01 and AVEVA System Platform 2020 R2: update to AVEVA System Platform 2020 R2 SP1\n\u2022\tAVEVA System Platform 2020: update to AVEVA System Platform 2020 P01\n\nFor more information on this issue, including security updates, please see Security Bulletin AVEVA-2021-007\n"}], "source": {"advisory": "ICSA-22-067-02", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-0835", "datePublished": "2022-04-11T19:38:30", "dateReserved": "2022-03-02T00:00:00", "dateUpdated": "2022-04-11T19:38:30", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aveva:system_platform:2020:-:*:*:*:*:*:*", "matchCriteriaId": "D47F4B07-B67F-4855-AED2-D17B0E76FA8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:system_platform:2020:r2_patch01:*:*:*:*:*:*", "matchCriteriaId": "8F27FDBD-1469-4E27-BB80-81D6C80CECF5", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:system_platform:2020:r2s:*:*:*:*:*:*", "matchCriteriaId": "5153D135-6C47-4980-BEB2-A14531F9476B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "AVEVA System Platform 2020 stores sensitive information in cleartext, which may allow access to an attacker or a low-privileged user."}, {"lang": "es", "value": "AVEVA System Platform versi\u00f3n 2020, almacena informaci\u00f3n confidencial en texto sin cifrar, lo que puede permitir el acceso a un atacante o a un usuario con pocos privilegios"}], "id": "CVE-2022-0835", "lastModified": "2022-04-18T13:42:31.147", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-04-11T20:15:16.540", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-007.pdf"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-316"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}