Details of VAR-202204-1819

ID

VAR-202204-1819

CVE

CVE-2022-1378

TITLE

Delta Electronics, INC. of DIAEnergie In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-008970

DESCRIPTION

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_pgHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands. Delta Electronics, INC. of DIAEnergie for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-1378 // JVNDB: JVNDB-2022-008970 // VULMON: CVE-2022-1378

AFFECTED PRODUCTS

vendor:	deltaww	model:	diaenergie	scope:	lt	version:	1.8.02.004	Trust: 1.0
vendor:	delta	model:	diaenergie	scope:	eq	version:	-	Trust: 0.8
vendor:	delta	model:	diaenergie	scope:	eq	version:	1.8.02.004	Trust: 0.8
vendor:	delta	model:	diaenergie	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-008970 // NVD: CVE-2022-1378

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2022-1378
value:	CRITICAL
Trust: 1.8
ics-cert@hq.dhs.gov:	CVE-2022-1378
value:	CRITICAL
Trust: 1.0
CNNVD:	CNNVD-202204-4576
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2022-1378
value:	HIGH
Trust: 0.1

NVD:
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2022-1378
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.9

NVD:
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2022-1378
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2022-1378 // JVNDB: JVNDB-2022-008970 // NVD: CVE-2022-1378 // NVD: CVE-2022-1378 // CNNVD: CNNVD-202204-4576

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-008970 // NVD: CVE-2022-1378

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-4576

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202204-4576

CONFIGURATIONS

sources: NVD: CVE-2022-1378

PATCH

title:

Delta Electronics DIAEnergie SQL Repair measures for injecting vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=191004

Trust: 0.6

sources: CNNVD: CNNVD-202204-4576

EXTERNAL IDS

db:	NVD	id:	CVE-2022-1378	Trust: 3.3
db:	ICS CERT	id:	ICSA-22-081-01	Trust: 2.5
db:	JVN	id:	JVNVU99338807	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-008970	Trust: 0.8
db:	CNNVD	id:	CNNVD-202204-4576	Trust: 0.6
db:	VULMON	id:	CVE-2022-1378	Trust: 0.1

sources: VULMON: CVE-2022-1378 // JVNDB: JVNDB-2022-008970 // NVD: CVE-2022-1378 // CNNVD: CNNVD-202204-4576

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01	Trust: 2.5
url:	https://jvn.jp/vu/jvnvu99338807/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1378	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-1378/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-081-01	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2022-1378 // JVNDB: JVNDB-2022-008970 // NVD: CVE-2022-1378 // CNNVD: CNNVD-202204-4576

CREDITS

Michael Heinzl and Dusan Stevanovic of Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202204-4576

SOURCES

db:	VULMON	id:	CVE-2022-1378
db:	JVNDB	id:	JVNDB-2022-008970
db:	NVD	id:	CVE-2022-1378
db:	CNNVD	id:	CNNVD-202204-4576

LAST UPDATE DATE

2023-12-18T11:56:27.517000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2022-1378	date:	2022-05-11T00:00:00
db:	JVNDB	id:	JVNDB-2022-008970	date:	2023-08-01T08:34:00
db:	NVD	id:	CVE-2022-1378	date:	2022-05-11T12:00:23.023
db:	CNNVD	id:	CNNVD-202204-4576	date:	2022-05-12T00:00:00

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2022-1378	date:	2022-05-02T00:00:00
db:	JVNDB	id:	JVNDB-2022-008970	date:	2023-08-01T00:00:00
db:	NVD	id:	CVE-2022-1378	date:	2022-05-02T19:15:08.913
db:	CNNVD	id:	CNNVD-202204-4576	date:	2022-04-28T00:00:00