CVE-2022-4258 - OpenCVE

In multiple versions of HIMA PC based Software an unquoted Windows search path vulnerability might allow local users to gain privileges via a malicious .exe file and gain full access to the system.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hima	Hopcs X-opc Da X-opc A\+e X-ots
Microsoft	Windows

Configuration 1 [-]

AND

OR	cpe:2.3:a:hima:hopcs::::::::
	cpe:2.3:a:hima:x-opc_a\+e::::::::
	cpe:2.3:a:hima:x-opc_da::::::::
	cpe:2.3:a:hima:x-ots::::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://cert.vde.com/en/advisories/VDE-2022-059/	Mitigation Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: CERTVDE

Published: 2023-01-16T09:52:09.647Z

Updated:

Reserved: 2022-12-01T14:43:52.479Z

Link: CVE-2022-4258

JSON object: View

NVD Information

Status : Modified

Published: 2023-01-16T10:15:10.313

Modified: 2023-11-07T03:57:20.337

Link: CVE-2022-4258

JSON object: View

Redhat Information

No data.

CWE

CWE-428

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-4258", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2022-12-01T14:43:52.479Z", "datePublished": "2023-01-16T09:52:09.647Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HOPCS", "vendor": "HIMA", "versions": [{"lessThanOrEqual": "3.56.4", "status": "affected", "version": "1.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "X-OPC DA", "vendor": "HIMA", "versions": [{"lessThanOrEqual": "5.6.1210", "status": "affected", "version": "1.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "X-OPC A+E ", "vendor": "HIMA", "versions": [{"lessThanOrEqual": "5.6.1210", "status": "affected", "version": "1.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "X-OTS", "vendor": "HIMA", "versions": [{"lessThanOrEqual": "1.32.550", "status": "affected", "version": "1.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "This vulnerability has been found by a HIMA customer."}, {"lang": "en", "type": "coordinator", "user": "00000000-0000-4000-9000-000000000000", "value": "Case handled by PSIRT@hima.com in cooperation with CERT@VDE"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In multiple versions of HIMA PC based Software an unquoted Windows search path vulnerability might allow local users to gain privileges via a malicious .exe file and gain full access to the system."}], "value": "In multiple versions of HIMA PC based Software an unquoted Windows search path vulnerability\u00a0might allow local users to gain privileges via a malicious .exe file and gain full access to the system."}], "impacts": [{"capecId": "CAPEC-38", "descriptions": [{"lang": "en", "value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-428", "description": "CWE-428 Unquoted Search Path or Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2023-01-16T09:52:09.647Z"}, "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-059/"}], "source": {"advisory": "VDE-2022-059", "defect": ["CERT@VDE#64320"], "discovery": "EXTERNAL"}, "title": "Hima: Unquoted path vulnerabilities in HIMA PC based Software", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hima:hopcs:*:*:*:*:*:*:*:*", "matchCriteriaId": "1FFBD495-B6DC-4DF2-99C6-BBB778BC0B5A", "versionEndIncluding": "3.56.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:hima:x-opc_a\\+e:*:*:*:*:*:*:*:*", "matchCriteriaId": "E39AB0B1-60C2-4321-A474-DBC441225B96", "versionEndIncluding": "5.6.1210", "vulnerable": true}, {"criteria": "cpe:2.3:a:hima:x-opc_da:*:*:*:*:*:*:*:*", "matchCriteriaId": "B65F8D0C-D953-4718-8D8D-6B772E78901E", "versionEndIncluding": "5.6.1210", "vulnerable": true}, {"criteria": "cpe:2.3:a:hima:x-ots:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2089FC4-BFD1-49BE-9794-CDA90A86F3B7", "versionEndIncluding": "1.32.550", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "In multiple versions of HIMA PC based Software an unquoted Windows search path vulnerability\u00a0might allow local users to gain privileges via a malicious .exe file and gain full access to the system."}, {"lang": "es", "value": "En varias versiones del software HIMA para PC, una vulnerabilidad de ruta de b\u00fasqueda de Windows sin comillas podr\u00eda permitir a los usuarios locales obtener privilegios a trav\u00e9s de un archivo .exe malicioso y obtener acceso completo al sistema."}], "id": "CVE-2022-4258", "lastModified": "2023-11-07T03:57:20.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2023-01-16T10:15:10.313", "references": [{"source": "info@cert.vde.com", "tags": ["Mitigation", "Third Party Advisory", "VDB Entry"], "url": "https://cert.vde.com/en/advisories/VDE-2022-059/"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-428"}], "source": "info@cert.vde.com", "type": "Primary"}]}