ID

VAR-202206-2046


CVE

CVE-2022-2142


TITLE

Advantech Co., Ltd.  iView  In  SQL  Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-013712

DESCRIPTION

The affected product is vulnerable to a SQL injection with high attack complexity, which may allow an unauthorized attacker to disclose information. Advantech Co., Ltd. iView for, SQL There is an injection vulnerability.Information may be obtained. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Advantech iView

Trust: 2.43

sources: NVD: CVE-2022-2142 // JVNDB: JVNDB-2022-013712 // ZDI: ZDI-22-934 // VULHUB: VHN-426276 // VULMON: CVE-2022-2142

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope:ltversion:5.7.04.6469

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion:5.7.04.6469

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope: - version: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

vendor:advantechmodel:iviewscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-22-934 // JVNDB: JVNDB-2022-013712 // NVD: CVE-2022-2142

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-2142
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2142
value: HIGH

Trust: 1.0

NVD: CVE-2022-2142
value: MEDIUM

Trust: 0.8

ZDI: CVE-2022-2142
value: HIGH

Trust: 0.7

CNNVD: CNNVD-202206-2731
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-2142
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2142
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-2142
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2022-2142
baseSeverity: HIGH
baseScore: 8.1
vectorString: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-934 // JVNDB: JVNDB-2022-013712 // CNNVD: CNNVD-202206-2731 // NVD: CVE-2022-2142 // NVD: CVE-2022-2142

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

problemtype:SQL injection (CWE-89) [ others ]

Trust: 0.8

sources: VULHUB: VHN-426276 // JVNDB: JVNDB-2022-013712 // NVD: CVE-2022-2142

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2731

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202206-2731

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 0.7

title:Advantech iView SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=201808

Trust: 0.6

sources: ZDI: ZDI-22-934 // CNNVD: CNNVD-202206-2731

EXTERNAL IDS

db:NVDid:CVE-2022-2142

Trust: 4.1

db:ICS CERTid:ICSA-22-179-03

Trust: 2.6

db:JVNid:JVNVU97814223

Trust: 0.8

db:JVNDBid:JVNDB-2022-013712

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-16607

Trust: 0.7

db:ZDIid:ZDI-22-934

Trust: 0.7

db:CS-HELPid:SB2022062918

Trust: 0.6

db:AUSCERTid:ESB-2022.3141

Trust: 0.6

db:CNNVDid:CNNVD-202206-2731

Trust: 0.6

db:VULHUBid:VHN-426276

Trust: 0.1

db:VULMONid:CVE-2022-2142

Trust: 0.1

sources: ZDI: ZDI-22-934 // VULHUB: VHN-426276 // VULMON: CVE-2022-2142 // JVNDB: JVNDB-2022-013712 // CNNVD: CNNVD-202206-2731 // NVD: CVE-2022-2142

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 3.3

url:https://jvn.jp/vu/jvnvu97814223/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-2142

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-2142/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3141

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062918

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03

Trust: 0.6

sources: ZDI: ZDI-22-934 // VULHUB: VHN-426276 // VULMON: CVE-2022-2142 // JVNDB: JVNDB-2022-013712 // CNNVD: CNNVD-202206-2731 // NVD: CVE-2022-2142

CREDITS

@rgod777

Trust: 0.7

sources: ZDI: ZDI-22-934

SOURCES

db:ZDIid:ZDI-22-934
db:VULHUBid:VHN-426276
db:VULMONid:CVE-2022-2142
db:JVNDBid:JVNDB-2022-013712
db:CNNVDid:CNNVD-202206-2731
db:NVDid:CVE-2022-2142

LAST UPDATE DATE

2024-08-14T13:42:38.115000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-934date:2022-06-30T00:00:00
db:VULHUBid:VHN-426276date:2022-07-28T00:00:00
db:JVNDBid:JVNDB-2022-013712date:2023-09-11T08:17:00
db:CNNVDid:CNNVD-202206-2731date:2022-07-29T00:00:00
db:NVDid:CVE-2022-2142date:2022-07-28T20:13:12.980

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-934date:2022-06-30T00:00:00
db:VULHUBid:VHN-426276date:2022-07-22T00:00:00
db:JVNDBid:JVNDB-2022-013712date:2023-09-11T00:00:00
db:CNNVDid:CNNVD-202206-2731date:2022-06-28T00:00:00
db:NVDid:CVE-2022-2142date:2022-07-22T15:15:08.407