ID

VAR-202203-0208


CVE

CVE-2022-25311


TITLE

Siemens'  SINEC NMS  Vulnerability in privilege management in

Trust: 0.8

sources: JVNDB: JVNDB-2022-006466

DESCRIPTION

A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation. Siemens' SINEC NMS Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2022-25311 // JVNDB: JVNDB-2022-006466

AFFECTED PRODUCTS

vendor:siemensmodel:sinema serverscope:eqversion:14.0

Trust: 1.0

vendor:siemensmodel:sinec network management systemscope:ltversion:1.0.3

Trust: 1.0

vendor:シーメンスmodel:sinec nmsscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:sinec nmsscope:eqversion: -

Trust: 0.8

vendor:シーメンスmodel:sinec nmsscope:eqversion:1.0.3

Trust: 0.8

sources: JVNDB: JVNDB-2022-006466 // NVD: CVE-2022-25311

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-25311
value: HIGH

Trust: 1.0

productcert@siemens.com: CVE-2022-25311
value: HIGH

Trust: 1.0

NVD: CVE-2022-25311
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202203-747
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-25311
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2022-25311
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

productcert@siemens.com: CVE-2022-25311
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.3
impactScore: 5.9
version: 3.1

Trust: 1.0

OTHER: JVNDB-2022-006466
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-006466 // CNNVD: CNNVD-202203-747 // NVD: CVE-2022-25311 // NVD: CVE-2022-25311

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-269

Trust: 1.0

problemtype:Improper authority management (CWE-269) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-006466 // NVD: CVE-2022-25311

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-747

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202203-747

PATCH

title:Siemens SINEC NMS Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=185241

Trust: 0.6

sources: CNNVD: CNNVD-202203-747

EXTERNAL IDS

db:NVDid:CVE-2022-25311

Trust: 3.2

db:SIEMENSid:SSA-250085

Trust: 2.4

db:ICS CERTid:ICSA-22-069-03

Trust: 1.4

db:JVNid:JVNVU91709091

Trust: 0.8

db:JVNDBid:JVNDB-2022-006466

Trust: 0.8

db:CS-HELPid:SB2022031006

Trust: 0.6

db:AUSCERTid:ESB-2022.1043

Trust: 0.6

db:CNNVDid:CNNVD-202203-747

Trust: 0.6

sources: JVNDB: JVNDB-2022-006466 // CNNVD: CNNVD-202203-747 // NVD: CVE-2022-25311

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-250085.pdf

Trust: 2.4

url:https://jvn.jp/vu/jvnvu91709091/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-25311

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-03

Trust: 0.8

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-069-03

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.1043

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022031006

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-25311/

Trust: 0.6

sources: JVNDB: JVNDB-2022-006466 // CNNVD: CNNVD-202203-747 // NVD: CVE-2022-25311

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202203-747

SOURCES

db:JVNDBid:JVNDB-2022-006466
db:CNNVDid:CNNVD-202203-747
db:NVDid:CVE-2022-25311

LAST UPDATE DATE

2024-08-14T13:06:41.316000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2022-006466date:2023-07-05T08:09:00
db:CNNVDid:CNNVD-202203-747date:2023-07-11T00:00:00
db:NVDid:CVE-2022-25311date:2023-10-10T11:15:10.477

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2022-006466date:2023-07-05T00:00:00
db:CNNVDid:CNNVD-202203-747date:2022-03-08T00:00:00
db:NVDid:CVE-2022-25311date:2022-03-08T12:15:11.727