Details of VAR-202204-1816

ID

VAR-202204-1816

CVE

CVE-2022-1376

TITLE

Delta Electronics, INC. of DIAEnergie In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-008972

DESCRIPTION

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_privgrpHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands. Delta Electronics, INC. of DIAEnergie for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-1376 // JVNDB: JVNDB-2022-008972 // VULMON: CVE-2022-1376

AFFECTED PRODUCTS

vendor:	deltaww	model:	diaenergie	scope:	lt	version:	1.8.02.004	Trust: 1.0
vendor:	delta	model:	diaenergie	scope:	eq	version:	-	Trust: 0.8
vendor:	delta	model:	diaenergie	scope:	eq	version:	1.8.02.004	Trust: 0.8
vendor:	delta	model:	diaenergie	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-008972 // NVD: CVE-2022-1376

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2022-1376
value:	CRITICAL
Trust: 1.8
ics-cert@hq.dhs.gov:	CVE-2022-1376
value:	CRITICAL
Trust: 1.0
CNNVD:	CNNVD-202204-4572
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2022-1376
value:	HIGH
Trust: 0.1

NVD:
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2022-1376
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.9

NVD:
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2022-1376
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2022-1376 // JVNDB: JVNDB-2022-008972 // NVD: CVE-2022-1376 // NVD: CVE-2022-1376 // CNNVD: CNNVD-202204-4572

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-008972 // NVD: CVE-2022-1376

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-4572

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202204-4572

CONFIGURATIONS

sources: NVD: CVE-2022-1376

PATCH

title:

Delta Electronics DIAEnergie SQL Repair measures for injecting vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=191002

Trust: 0.6

sources: CNNVD: CNNVD-202204-4572

EXTERNAL IDS

db:	NVD	id:	CVE-2022-1376	Trust: 3.3
db:	ICS CERT	id:	ICSA-22-081-01	Trust: 2.5
db:	JVN	id:	JVNVU99338807	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-008972	Trust: 0.8
db:	CNNVD	id:	CNNVD-202204-4572	Trust: 0.6
db:	VULMON	id:	CVE-2022-1376	Trust: 0.1

sources: VULMON: CVE-2022-1376 // JVNDB: JVNDB-2022-008972 // NVD: CVE-2022-1376 // CNNVD: CNNVD-202204-4572

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01	Trust: 2.5
url:	https://jvn.jp/vu/jvnvu99338807/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1376	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-1376/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-081-01	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2022-1376 // JVNDB: JVNDB-2022-008972 // NVD: CVE-2022-1376 // CNNVD: CNNVD-202204-4572

CREDITS

Michael Heinzl and Dusan Stevanovic of Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202204-4572

SOURCES

db:	VULMON	id:	CVE-2022-1376
db:	JVNDB	id:	JVNDB-2022-008972
db:	NVD	id:	CVE-2022-1376
db:	CNNVD	id:	CNNVD-202204-4572

LAST UPDATE DATE

2023-12-18T11:56:27.560000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2022-1376	date:	2022-05-10T00:00:00
db:	JVNDB	id:	JVNDB-2022-008972	date:	2023-08-01T08:34:00
db:	NVD	id:	CVE-2022-1376	date:	2022-05-10T20:13:35.657
db:	CNNVD	id:	CNNVD-202204-4572	date:	2022-05-11T00:00:00

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2022-1376	date:	2022-05-02T00:00:00
db:	JVNDB	id:	JVNDB-2022-008972	date:	2023-08-01T00:00:00
db:	NVD	id:	CVE-2022-1376	date:	2022-05-02T19:15:08.797
db:	CNNVD	id:	CNNVD-202204-4572	date:	2022-04-28T00:00:00