CVE-2022-3158

Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an input validation vulnerability. The FactoryTalk VantagePoint SQL Server lacks input validation when users enter SQL statements to retrieve information from the back-end database. If successfully exploited, this could allow a user with basic user privileges to perform remote code execution on the server.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1137043	Permissions Required Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.0:::::::*
	cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.10:::::::*
	cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.20:::::::*
	cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.30:::::::*
	cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.31:::::::*

History

No history.

Information

Published : 2022-10-17 22:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-3158

Mitre link : CVE-2022-3158

CVE.ORG link : CVE-2022-3158

JSON object : View

Products Affected

rockwellautomation

factorytalk_vantagepoint

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2022-3158", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-10-17T22:15:10.437", "references": [{"url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1137043", "tags": ["Permissions Required", "Vendor Advisory"], "source": "PSIRT@rockwellautomation.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "PSIRT@rockwellautomation.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an input validation vulnerability. The FactoryTalk VantagePoint SQL Server lacks input validation when users enter SQL statements to retrieve information from the back-end database. If successfully exploited, this could allow a user with basic user privileges to perform remote code execution on the server."}, {"lang": "es", "value": "Rockwell Automation FactoryTalk VantagePoint versiones 8.0, 8.10, 8.20, 8.30 y 8.31, son vulnerables a una vulnerabilidad de comprobaci\u00f3n de entrada. El servidor SQL de FactoryTalk VantagePoint carece de comprobaci\u00f3n de entrada cuando los usuarios introducen sentencias SQL para recuperar informaci\u00f3n de la base de datos del back-end. Si es explotado con \u00e9xito, esto podr\u00eda permitir a un usuario con privilegios de usuario b\u00e1sicos llevar a cabo una ejecuci\u00f3n de c\u00f3digo remota en el servidor"}], "lastModified": "2022-10-20T14:42:28.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD07421-BA29-47E8-B96B-424C35194F2F"}, {"criteria": "cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F68655B-5ED9-4B1C-9E7E-4374F5A31AFE"}, {"criteria": "cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "272D6C41-9E30-4A70-BAD7-A94D8EE51167"}, {"criteria": "cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "43E695DF-8CB1-49AA-BFEC-18336C2FCF8D"}, {"criteria": "cpe:2.3:a:rockwellautomation:factorytalk_vantagepoint:8.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA050720-1DC3-4B74-9AE4-5212D4A81938"}], "operator": "OR"}]}], "sourceIdentifier": "PSIRT@rockwellautomation.com"}