CVE-2022-30308

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
References
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:o:festo:controller_cecc-x-m1_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:festo:controller_cecc-x-m1_firmware:4.0.14:*:*:*:*:*:*:*
cpe:2.3:h:festo:controller_cecc-x-m1:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:o:festo:controller_cecc-x-m1-mv_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:festo:controller_cecc-x-m1-mv_firmware:4.0.14:*:*:*:*:*:*:*
cpe:2.3:h:festo:controller_cecc-x-m1-mv:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
OR cpe:2.3:o:festo:controller_cecc-x-m1-mv-s1_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:festo:controller_cecc-x-m1-mv-s1_firmware:4.0.14:*:*:*:*:*:*:*
cpe:2.3:h:festo:controller_cecc-x-m1-mv-s1:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:festo:controller_cecc-x-m1-ys-l1_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:festo:controller_cecc-x-m1-ys-l1:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:festo:controller_cecc-x-m1-ys-l2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:festo:controller_cecc-x-m1-ys-l2:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:festo:controller_cecc-x-m1-y-yjkp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:festo:controller_cecc-x-m1-y-yjkp:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:festo:servo_press_kit_yjkp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:festo:servo_press_kit_yjkp:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:festo:servo_press_kit_yjkp-_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:festo:servo_press_kit_yjkp-:-:*:*:*:*:*:*:*

History

21 Nov 2024, 07:02

Type Values Removed Values Added
References () https://cert.vde.com/en/advisories/VDE-2022-020/ - Third Party Advisory () https://cert.vde.com/en/advisories/VDE-2022-020/ - Third Party Advisory

16 Sep 2024, 23:15

Type Values Removed Values Added
Summary (en) In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. (en) In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

10 Aug 2023, 08:15

Type Values Removed Values Added
Summary In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

21 Jul 2023, 16:56

Type Values Removed Values Added
CWE CWE-78

Information

Published : 2022-06-13 14:15

Updated : 2024-11-21 07:02


NVD link : CVE-2022-30308

Mitre link : CVE-2022-30308

CVE.ORG link : CVE-2022-30308


JSON object : View

Products Affected

festo

  • controller_cecc-x-m1-y-yjkp_firmware
  • controller_cecc-x-m1-y-yjkp
  • controller_cecc-x-m1-mv-s1_firmware
  • servo_press_kit_yjkp-_firmware
  • controller_cecc-x-m1
  • controller_cecc-x-m1-ys-l1_firmware
  • controller_cecc-x-m1-ys-l1
  • controller_cecc-x-m1-mv
  • controller_cecc-x-m1-mv-s1
  • servo_press_kit_yjkp
  • controller_cecc-x-m1_firmware
  • servo_press_kit_yjkp-
  • controller_cecc-x-m1-ys-l2_firmware
  • controller_cecc-x-m1-mv_firmware
  • controller_cecc-x-m1-ys-l2
  • servo_press_kit_yjkp_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-863

Incorrect Authorization