Details of VAR-202203-0846

ID

VAR-202203-0846

CVE

CVE-2022-21808

TITLE

Yokogawa Exaopc Path traversal vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202203-1157

DESCRIPTION

Path traversal vulnerability exists in CAMS for HIS Server contained in the following Yokogawa Electric products: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00

Trust: 0.99

sources: NVD: CVE-2022-21808 // VULHUB: VHN-414056

AFFECTED PRODUCTS

vendor:	yokogawa	model:	centum vp entry	scope:	gte	version:	r5.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	gte	version:	r4.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum cs 3000 entry	scope:	lte	version:	r3.09.00	Trust: 1.0
vendor:	yokogawa	model:	exaopc	scope:	lt	version:	r3.80.00	Trust: 1.0
vendor:	yokogawa	model:	exaopc	scope:	gte	version:	r3.72.00	Trust: 1.0
vendor:	yokogawa	model:	centum cs 3000 entry	scope:	gte	version:	r3.08.10	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	gte	version:	r4.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	lte	version:	r5.04.20	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	lte	version:	r5.04.20	Trust: 1.0
vendor:	yokogawa	model:	centum cs 3000	scope:	lte	version:	r3.09.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	lt	version:	r6.09.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	lte	version:	r4.03.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	lte	version:	r4.03.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	gte	version:	r6.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	gte	version:	r6.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum cs 3000	scope:	gte	version:	r3.08.10	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	lt	version:	r6.09.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	gte	version:	r5.01.00	Trust: 1.0

sources: NVD: CVE-2022-21808

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-21808
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202203-1157
value:	HIGH
Trust: 0.6
VULHUB:	VHN-414056
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-21808
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-414056
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-21808
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-414056 // CNNVD: CNNVD-202203-1157 // NVD: CVE-2022-21808

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	CWE-23	Trust: 1.0

sources: VULHUB: VHN-414056 // NVD: CVE-2022-21808

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-1157

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202203-1157

PATCH

title:

Yokogawa Exaopc Repair measures for path traversal vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=186338

Trust: 0.6

sources: CNNVD: CNNVD-202203-1157

EXTERNAL IDS

db:	NVD	id:	CVE-2022-21808	Trust: 1.7
db:	CS-HELP	id:	SB2022032906	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1276	Trust: 0.6
db:	ICS CERT	id:	ICSA-22-083-01	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-1157	Trust: 0.6
db:	VULHUB	id:	VHN-414056	Trust: 0.1

sources: VULHUB: VHN-414056 // CNNVD: CNNVD-202203-1157 // NVD: CVE-2022-21808

REFERENCES

url:	https://web-material3.yokogawa.com/1/32094/files/ysar-22-0001-e.pdf	Trust: 1.7
url:	https://www.cybersecurity-help.cz/vdb/sb2022032906	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-21808/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1276	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-083-01	Trust: 0.6

sources: VULHUB: VHN-414056 // CNNVD: CNNVD-202203-1157 // NVD: CVE-2022-21808

CREDITS

Jacob Baines from Dragos reported these vulnerabilities to Yokogawa.

Trust: 0.6

sources: CNNVD: CNNVD-202203-1157

SOURCES

db:	VULHUB	id:	VHN-414056
db:	CNNVD	id:	CNNVD-202203-1157
db:	NVD	id:	CVE-2022-21808

LAST UPDATE DATE

2024-11-23T21:32:45.569000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-414056	date:	2022-03-18T00:00:00
db:	CNNVD	id:	CNNVD-202203-1157	date:	2022-03-30T00:00:00
db:	NVD	id:	CVE-2022-21808	date:	2024-11-21T06:45:28.580

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-414056	date:	2022-03-11T00:00:00
db:	CNNVD	id:	CNNVD-202203-1157	date:	2022-03-11T00:00:00
db:	NVD	id:	CVE-2022-21808	date:	2022-03-11T09:15:11.407