Details of VAR-202203-0496

ID

VAR-202203-0496

CVE

CVE-2022-0923

TITLE

Delta Electronics, INC. of DIAEnergie In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-007563

DESCRIPTION

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerDialog_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands. Delta Electronics, INC. of DIAEnergie for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-0923 // JVNDB: JVNDB-2022-007563 // VULMON: CVE-2022-0923

AFFECTED PRODUCTS

vendor:	deltaww	model:	diaenergie	scope:	lt	version:	1.8.02.004	Trust: 1.0
vendor:	delta	model:	diaenergie	scope:	eq	version:	1.8.02.004	Trust: 0.8
vendor:	delta	model:	diaenergie	scope:	eq	version:	-	Trust: 0.8
vendor:	delta	model:	diaenergie	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-007563 // NVD: CVE-2022-0923

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2022-0923
value:	CRITICAL
Trust: 1.8
ics-cert@hq.dhs.gov:	CVE-2022-0923
value:	CRITICAL
Trust: 1.0
CNNVD:	CNNVD-202203-2001
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2022-0923
value:	HIGH
Trust: 0.1

NVD:
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2022-0923
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.9

NVD:
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2022-0923
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2022-0923 // JVNDB: JVNDB-2022-007563 // NVD: CVE-2022-0923 // NVD: CVE-2022-0923 // CNNVD: CNNVD-202203-2001

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-007563 // NVD: CVE-2022-0923

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-2001

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202203-2001

CONFIGURATIONS

sources: NVD: CVE-2022-0923

PATCH

title:

Delta Electronics DIAEnergie SQL Repair measures for injecting vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=186688

Trust: 0.6

sources: CNNVD: CNNVD-202203-2001

EXTERNAL IDS

db:	NVD	id:	CVE-2022-0923	Trust: 3.3
db:	ICS CERT	id:	ICSA-22-081-01	Trust: 2.5
db:	JVNDB	id:	JVNDB-2022-007563	Trust: 0.8
db:	AUSCERT	id:	ESB-2022.1232	Trust: 0.6
db:	CS-HELP	id:	SB2022032302	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-2001	Trust: 0.6
db:	VULMON	id:	CVE-2022-0923	Trust: 0.1

sources: VULMON: CVE-2022-0923 // JVNDB: JVNDB-2022-007563 // NVD: CVE-2022-0923 // CNNVD: CNNVD-202203-2001

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01	Trust: 2.6
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0923	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-0923/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1232	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-081-01	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022032302	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2022-0923 // JVNDB: JVNDB-2022-007563 // NVD: CVE-2022-0923 // CNNVD: CNNVD-202203-2001

CREDITS

Michael Heinzl and Dusan Stevanovic of Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202203-2001

SOURCES

db:	VULMON	id:	CVE-2022-0923
db:	JVNDB	id:	JVNDB-2022-007563
db:	NVD	id:	CVE-2022-0923
db:	CNNVD	id:	CNNVD-202203-2001

LAST UPDATE DATE

2023-12-18T11:56:27.765000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2022-0923	date:	2022-04-05T00:00:00
db:	JVNDB	id:	JVNDB-2022-007563	date:	2023-07-18T08:33:00
db:	NVD	id:	CVE-2022-0923	date:	2022-04-05T18:19:36.077
db:	CNNVD	id:	CNNVD-202203-2001	date:	2022-04-06T00:00:00

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2022-0923	date:	2022-03-29T00:00:00
db:	JVNDB	id:	JVNDB-2022-007563	date:	2023-07-18T00:00:00
db:	NVD	id:	CVE-2022-0923	date:	2022-03-29T17:15:15.037
db:	CNNVD	id:	CNNVD-202203-2001	date:	2022-03-22T00:00:00