CVE-2022-32747 - OpenCVE

A CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause legitimate users to be locked out of devices or facilitate backdoor account creation by spoofing a device on the local network. Affected Products: EcoStruxure™ Cybersecurity Admin Expert (CAE) (Versions prior to 2.2)

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Ecostruxure Cybersecurity Admin Expert

Configuration 1 [-]

cpe:2.3:a:schneider-electric:ecostruxure_cybersecurity_admin_expert:*:*:*:*:*:*:*:*

References

Link	Resource
https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-08_Cybersecurity_Admin_Expert_Security_Notification.pdf	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2023-01-30T00:00:00

Updated: 2023-01-30T00:00:00

Reserved: 2022-06-09T00:00:00

Link: CVE-2022-32747

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-01-30T23:15:11.227

Modified: 2023-04-03T17:44:24.080

Link: CVE-2022-32747

JSON object: View

Redhat Information

No data.

CWE

CWE-290

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_cybersecurity_admin_expert:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B912C3C-9BDA-49E3-A473-B6490CEC4813", "versionEndExcluding": "2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause legitimate users to be locked out of devices or facilitate backdoor account creation by spoofing a device on the local network. Affected Products: EcoStruxure\u2122 Cybersecurity Admin Expert (CAE) (Versions prior to 2.2)"}, {"lang": "es", "value": "Existe una vulnerabilidad CWE-290: omisi\u00f3n de autenticaci\u00f3n mediante suplantaci\u00f3n de identidad que podr\u00eda bloquear el acceso de los usuarios leg\u00edtimos a los dispositivos o facilitar la creaci\u00f3n de cuentas de puerta trasera al suplantar un dispositivo en la red local. Productos afectados: EcoStruxure? Cybersecurity Admin Expert (Versiones anteriores a la 2.2)"}], "id": "CVE-2022-32747", "lastModified": "2023-04-03T17:44:24.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "cybersecurity@se.com", "type": "Secondary"}]}, "published": "2023-01-30T23:15:11.227", "references": [{"source": "cybersecurity@se.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-08_Cybersecurity_Admin_Expert_Security_Notification.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "cybersecurity@se.com", "type": "Primary"}]}