CVE-2022-41629

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-07	Patch Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:deltaww:infrasuite_device_master:*:*:*:*:*:*:*:*

History

07 Nov 2023, 03:52

Type	Values Removed	Values Added
Summary	Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords.	Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords.

Information

Published : 2022-10-31 20:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-41629

Mitre link : CVE-2022-41629

CVE.ORG link : CVE-2022-41629

JSON object : View

Products Affected

deltaww

infrasuite_device_master

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2022-41629", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-10-31T20:15:13.063", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-07", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "\nDelta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the \u201cRunningConfigs\u201d directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords.\n\n"}, {"lang": "es", "value": "Las versiones 00.00.01a y anteriores de Delta Electronics InfraSuite Device Master permiten que usuarios no autenticados accedan al endpoint de ejecuci\u00f3n, lo que podr\u00eda permitir a un atacante recuperar cualquier archivo del directorio \"\"RunningConfigs\"\". Luego, el atacante podr\u00eda ver y modificar archivos de configuraci\u00f3n como UserListInfo.xml, lo que le permitir\u00eda ver las contrase\u00f1as administrativas existentes.\n"}], "lastModified": "2023-11-07T03:52:51.637", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:infrasuite_device_master:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BC08CDF-4EE4-4E6D-AFF0-A4749A91A05D", "versionEndExcluding": "00.00.02a"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}