CVE-2022-1368

{"id": "CVE-2022-1368", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-09-06T23:15:08.240", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-249-03", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "The Cognex 3D-A1000 Dimensioning System in firmware version 1.0.3 (3354) and prior is vulnerable to CWE-306: Missing Authentication for Critical Function, which allows unauthorized users to change the operator account password via webserver commands by monitoring web socket communications from an unauthenticated session. This could allow an attacker to escalate privileges to match those of the compromised account."}, {"lang": "es", "value": "Cognex 3D-A1000 Dimensioning System en versi\u00f3n de firmware 1.0.3 (3354) y anteriores, es vulnerable a CWE-306: Una Falta de Autentificaci\u00f3n para la Funci\u00f3n Cr\u00edtica, que permite que usuarios no autorizados cambien la contrase\u00f1a de la cuenta del operador por medio de comandos del servidor web mediante la monitorizaci\u00f3n de las comunicaciones del socket web desde una sesi\u00f3n no autenticada. Esto podr\u00eda permitir a un atacante escalar privilegios hasta igualar los de la cuenta comprometida.\n"}], "lastModified": "2022-09-12T13:53:58.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:cognex:3d-a1000_dimensioning_system_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE25BB24-A1BE-4904-935B-61E84CAAFD81", "versionEndIncluding": "1.0.3\\(3354\\)"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:cognex:3d-a1000_dimensioning_system:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "01F624C6-079A-40BB-BA07-3441A6934850"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}