ID

VAR-202206-2045


CVE

CVE-2022-2136


TITLE

Advantech Co., Ltd.  iView  In  SQL  Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-013716

DESCRIPTION

The affected product is vulnerable to multiple SQL injections that require low privileges for exploitation and may allow an unauthorized attacker to disclose information. Advantech Co., Ltd. iView for, SQL There is an injection vulnerability.Information may be obtained. This vulnerability allows remote attackers to create arbitrary files on affected installations of Advantech iView. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the ipaddress element of the updatePROMFile action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Advantech iView

Trust: 6.21

sources: NVD: CVE-2022-2136 // JVNDB: JVNDB-2022-013716 // ZDI: ZDI-22-925 // ZDI: ZDI-22-924 // ZDI: ZDI-22-923 // ZDI: ZDI-22-922 // ZDI: ZDI-22-921 // ZDI: ZDI-22-920 // ZDI: ZDI-22-937 // VULHUB: VHN-426270 // VULMON: CVE-2022-2136

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 4.9

vendor:advantechmodel:iviewscope:ltversion:5.7.04.6469

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion:5.7.04.6469

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope: - version: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

sources: ZDI: ZDI-22-925 // ZDI: ZDI-22-924 // ZDI: ZDI-22-923 // ZDI: ZDI-22-922 // ZDI: ZDI-22-921 // ZDI: ZDI-22-920 // ZDI: ZDI-22-937 // JVNDB: JVNDB-2022-013716 // NVD: CVE-2022-2136

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-2136
value: HIGH

Trust: 2.8

ZDI: CVE-2022-2136
value: MEDIUM

Trust: 2.1

nvd@nist.gov: CVE-2022-2136
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2136
value: HIGH

Trust: 1.0

NVD: CVE-2022-2136
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202206-2714
value: MEDIUM

Trust: 0.6

ZDI: CVE-2022-2136
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 2.8

ZDI: CVE-2022-2136
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 2.1

nvd@nist.gov: CVE-2022-2136
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2136
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-2136
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-22-925 // ZDI: ZDI-22-924 // ZDI: ZDI-22-923 // ZDI: ZDI-22-922 // ZDI: ZDI-22-921 // ZDI: ZDI-22-920 // ZDI: ZDI-22-937 // JVNDB: JVNDB-2022-013716 // CNNVD: CNNVD-202206-2714 // NVD: CVE-2022-2136 // NVD: CVE-2022-2136

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

problemtype:SQL injection (CWE-89) [ others ]

Trust: 0.8

sources: VULHUB: VHN-426270 // JVNDB: JVNDB-2022-013716 // NVD: CVE-2022-2136

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2714

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202206-2714

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 4.9

sources: ZDI: ZDI-22-925 // ZDI: ZDI-22-924 // ZDI: ZDI-22-923 // ZDI: ZDI-22-922 // ZDI: ZDI-22-921 // ZDI: ZDI-22-920 // ZDI: ZDI-22-937

EXTERNAL IDS

db:NVDid:CVE-2022-2136

Trust: 8.3

db:ICS CERTid:ICSA-22-179-03

Trust: 2.6

db:JVNid:JVNVU97814223

Trust: 0.8

db:JVNDBid:JVNDB-2022-013716

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-16772

Trust: 0.7

db:ZDIid:ZDI-22-925

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16771

Trust: 0.7

db:ZDIid:ZDI-22-924

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16775

Trust: 0.7

db:ZDIid:ZDI-22-923

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16752

Trust: 0.7

db:ZDIid:ZDI-22-922

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16744

Trust: 0.7

db:ZDIid:ZDI-22-921

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16748

Trust: 0.7

db:ZDIid:ZDI-22-920

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16773

Trust: 0.7

db:ZDIid:ZDI-22-937

Trust: 0.7

db:CS-HELPid:SB2022062918

Trust: 0.6

db:AUSCERTid:ESB-2022.3141

Trust: 0.6

db:CNNVDid:CNNVD-202206-2714

Trust: 0.6

db:VULHUBid:VHN-426270

Trust: 0.1

db:VULMONid:CVE-2022-2136

Trust: 0.1

sources: ZDI: ZDI-22-925 // ZDI: ZDI-22-924 // ZDI: ZDI-22-923 // ZDI: ZDI-22-922 // ZDI: ZDI-22-921 // ZDI: ZDI-22-920 // ZDI: ZDI-22-937 // VULHUB: VHN-426270 // VULMON: CVE-2022-2136 // JVNDB: JVNDB-2022-013716 // CNNVD: CNNVD-202206-2714 // NVD: CVE-2022-2136

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 7.5

url:https://jvn.jp/vu/jvnvu97814223/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-2136

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-2136/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3141

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062918

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03

Trust: 0.6

sources: ZDI: ZDI-22-925 // ZDI: ZDI-22-924 // ZDI: ZDI-22-923 // ZDI: ZDI-22-922 // ZDI: ZDI-22-921 // ZDI: ZDI-22-920 // ZDI: ZDI-22-937 // VULHUB: VHN-426270 // VULMON: CVE-2022-2136 // JVNDB: JVNDB-2022-013716 // CNNVD: CNNVD-202206-2714 // NVD: CVE-2022-2136

CREDITS

rgod

Trust: 2.8

sources: ZDI: ZDI-22-925 // ZDI: ZDI-22-924 // ZDI: ZDI-22-923 // ZDI: ZDI-22-937

SOURCES

db:ZDIid:ZDI-22-925
db:ZDIid:ZDI-22-924
db:ZDIid:ZDI-22-923
db:ZDIid:ZDI-22-922
db:ZDIid:ZDI-22-921
db:ZDIid:ZDI-22-920
db:ZDIid:ZDI-22-937
db:VULHUBid:VHN-426270
db:VULMONid:CVE-2022-2136
db:JVNDBid:JVNDB-2022-013716
db:CNNVDid:CNNVD-202206-2714
db:NVDid:CVE-2022-2136

LAST UPDATE DATE

2024-08-14T13:42:38.338000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-925date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-924date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-923date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-922date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-921date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-920date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-937date:2022-07-14T00:00:00
db:VULHUBid:VHN-426270date:2022-07-28T00:00:00
db:JVNDBid:JVNDB-2022-013716date:2023-09-11T08:18:00
db:CNNVDid:CNNVD-202206-2714date:2022-07-29T00:00:00
db:NVDid:CVE-2022-2136date:2022-07-28T20:10:32.447

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-925date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-924date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-923date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-922date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-921date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-920date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-937date:2022-06-30T00:00:00
db:VULHUBid:VHN-426270date:2022-07-22T00:00:00
db:JVNDBid:JVNDB-2022-013716date:2023-09-11T00:00:00
db:CNNVDid:CNNVD-202206-2714date:2022-06-28T00:00:00
db:NVDid:CVE-2022-2136date:2022-07-22T15:15:08.180