CVE-2022-32528 - OpenCVE

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause access to manipulate and read specific files in the IGSS project report directory, potentially leading to a denial-of-service condition when an attacker sends specific messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Interactive Graphical Scada System

Configuration 1 [-]

cpe:2.3:a:schneider-electric:interactive_graphical_scada_system:*:*:*:*:*:*:*:*

References

Link	Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-165-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification.pdf

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2023-01-30T00:00:00

Updated: 2023-05-16T13:02:56.075Z

Reserved: 2022-06-07T00:00:00

Link: CVE-2022-32528

JSON object: View

NVD Information

Status : Modified

Published: 2023-01-30T23:15:11.067

Modified: 2023-05-16T14:15:09.230

Link: CVE-2022-32528

JSON object: View

Redhat Information

No data.

CWE

CWE-306

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-32528", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "dateUpdated": "2023-05-16T13:02:56.075Z", "dateReserved": "2022-06-07T00:00:00", "datePublished": "2023-01-30T00:00:00"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "IGSS Data Server (IGSSdataServer.exe)", "vendor": "Schneider Electric", "versions": [{"lessThan": "V15.0.0.22170", "status": "affected", "version": "All", "versionType": "custom"}]}], "datePublic": "2022-06-13T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\n\nA CWE-306: Missing Authentication for Critical Function vulnerability exists that could\ncause access to manipulate and read specific files in the IGSS project report directory,\npotentially leading to a denial-of-service condition when an attacker sends specific messages.\n\n Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)</p>"}], "value": "\nA CWE-306: Missing Authentication for Critical Function vulnerability exists that could\ncause access to manipulate and read specific files in the IGSS project report directory,\npotentially leading to a denial-of-service condition when an attacker sends specific messages.\n\n Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2023-05-16T13:02:56.075Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-165-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:interactive_graphical_scada_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC1660EA-8915-4BB2-B409-BF360253B269", "versionEndIncluding": "15.0.0.22170", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nA CWE-306: Missing Authentication for Critical Function vulnerability exists that could\ncause access to manipulate and read specific files in the IGSS project report directory,\npotentially leading to a denial-of-service condition when an attacker sends specific messages.\n\n Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)\n\n"}, {"lang": "es", "value": "Existe una vulnerabilidad CWE-306: Autenticaci\u00f3n faltante para funciones cr\u00edticas que podr\u00eda causar acceso para manipular y leer archivos espec\u00edficos en el directorio de informes del proyecto IGSS, lo que podr\u00eda conducir a una condici\u00f3n de denegaci\u00f3n de servicio cuando un atacante env\u00eda mensajes espec\u00edficos. Productos afectados: IGSS Data Server - IGSSdataServer.exe (Versiones anteriores a V15.0.0.22170)"}], "id": "CVE-2022-32528", "lastModified": "2023-05-16T14:15:09.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "cybersecurity@se.com", "type": "Secondary"}]}, "published": "2023-01-30T23:15:11.067", "references": [{"source": "cybersecurity@se.com", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-165-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "cybersecurity@se.com", "type": "Primary"}]}