CVE-2022-43400

A vulnerability has been identified in Siveillance Video Mobile Server V2022 R2 (All versions < V22.2a (80)). The mobile server component of affected applications improperly handles the log in for Active Directory accounts that are part of Administrators group. This could allow an unauthenticated remote attacker to access the application without a valid account.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-640732.pdf	Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-640732.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:siemens:siveillance_video_mobile_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:26

Type	Values Removed	Values Added
References	~~() https://cert-portal.siemens.com/productcert/pdf/ssa-640732.pdf - Vendor Advisory~~	() https://cert-portal.siemens.com/productcert/pdf/ssa-640732.pdf - Vendor Advisory

27 Jun 2023, 13:23

Type	Values Removed	Values Added
CWE	~~CWE-863~~	CWE-287

Information

Published : 2022-10-21 14:15

Updated : 2024-11-21 07:26

NVD link : CVE-2022-43400

Mitre link : CVE-2022-43400

CVE.ORG link : CVE-2022-43400

JSON object : View

Products Affected

siemens

siveillance_video_mobile_server

CWE

CWE-1390

Weak Authentication

CWE-287

Improper Authentication

{"id": "CVE-2022-43400", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-10-21T14:15:09.483", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-640732.pdf", "tags": ["Vendor Advisory"], "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-640732.pdf", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-1390"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Siveillance Video Mobile Server V2022 R2 (All versions < V22.2a (80)). The mobile server component of affected applications improperly handles the log in for Active Directory accounts that are part of Administrators group. This could allow an unauthenticated remote attacker to access the application without a valid account."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Siveillance Video Mobile Server versiones V2022 R2 (Todas las versiones anteriores a V22.2a (80)). El componente del servidor m\u00f3vil de las aplicaciones afectadas administra inapropiadamente el inicio de sesi\u00f3n de las cuentas de Active Directory que forman parte del grupo de administradores. Esto podr\u00eda permitir a un atacante remoto no autenticado acceder a la aplicaci\u00f3n sin una cuenta v\u00e1lida"}], "lastModified": "2024-11-21T07:26:24.350", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:siveillance_video_mobile_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BDCE907-C51F-40F2-9745-8AAFE468AB92", "versionEndExcluding": "22.2a\\(80\\)"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}