Sign-up

ID

VAR-202206-2047


CVE

CVE-2022-2143


TITLE

Advantech Co., Ltd.  iView  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-013711

DESCRIPTION

The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code. Advantech Co., Ltd. iView Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the backup_filename element of the backupDatabase action, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Advantech iView

Trust: 3.06

sources: NVD: CVE-2022-2143 // JVNDB: JVNDB-2022-013711 // ZDI: ZDI-22-936 // ZDI: ZDI-22-935 // VULHUB: VHN-426277 // VULMON: CVE-2022-2143

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 1.4

vendor:advantechmodel:iviewscope:ltversion:5.7.04.6469

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion:5.7.04.6469

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope: - version: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

sources: ZDI: ZDI-22-936 // ZDI: ZDI-22-935 // JVNDB: JVNDB-2022-013711 // NVD: CVE-2022-2143

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-2143
value: CRITICAL

Trust: 1.4

nvd@nist.gov: CVE-2022-2143
value: CRITICAL

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2143
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-2143
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202206-2735
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2022-2143
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 2.0

ZDI: CVE-2022-2143
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.4

NVD: CVE-2022-2143
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-22-936 // ZDI: ZDI-22-935 // JVNDB: JVNDB-2022-013711 // CNNVD: CNNVD-202206-2735 // NVD: CVE-2022-2143 // NVD: CVE-2022-2143

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.1

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:others (CWE-Other) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-426277 // JVNDB: JVNDB-2022-013711 // NVD: CVE-2022-2143

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2735

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202206-2735

EXPLOIT AVAILABILITY

sources:
            
            
            VULHUB: VHN-426277

PATCH
title:Advantech has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03
Trust: 1.4
title:Advantech iView Fixes for command injection vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=197831
Trust: 0.6
sources:
            
            
            ZDI: ZDI-22-936 // 
            
            
            
            ZDI: ZDI-22-935 // 
            
            
            
            CNNVD: CNNVD-202206-2735

EXTERNAL IDS
db:NVDid:CVE-2022-2143
Trust: 4.8
db:ICS CERTid:ICSA-22-179-03
Trust: 2.6
db:PACKETSTORMid:168108
Trust: 2.5
db:JVNid:JVNVU97814223
Trust: 0.8
db:JVNDBid:JVNDB-2022-013711
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-16685
Trust: 0.7
db:ZDIid:ZDI-22-936
Trust: 0.7
db:ZDI_CANid:ZDI-CAN-16528
Trust: 0.7
db:ZDIid:ZDI-22-935
Trust: 0.7
db:CS-HELPid:SB2022062918
Trust: 0.6
db:AUSCERTid:ESB-2022.3141
Trust: 0.6
db:CNNVDid:CNNVD-202206-2735
Trust: 0.6
db:VULHUBid:VHN-426277
Trust: 0.1
db:VULMONid:CVE-2022-2143
Trust: 0.1
sources:
            
            
            ZDI: ZDI-22-936 // 
            
            
            
            ZDI: ZDI-22-935 // 
            
            
            
            VULHUB: VHN-426277 // 
            
            
            
            VULMON: CVE-2022-2143 // 
            
            
            
            JVNDB: JVNDB-2022-013711 // 
            
            
            
            CNNVD: CNNVD-202206-2735 // 
            
            
            
            NVD: CVE-2022-2143

REFERENCES
url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03
Trust: 4.0
url:http://packetstormsecurity.com/files/168108/advantech-iview-networkservlet-command-injection.html
Trust: 3.1
url:https://jvn.jp/vu/jvnvu97814223/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2022-2143
Trust: 0.8
url:https://cxsecurity.com/cveshow/cve-2022-2143/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2022.3141
Trust: 0.6
url:https://www.cybersecurity-help.cz/vdb/sb2022062918
Trust: 0.6
url:https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03
Trust: 0.6
sources:
            
            
            ZDI: ZDI-22-936 // 
            
            
            
            ZDI: ZDI-22-935 // 
            
            
            
            VULHUB: VHN-426277 // 
            
            
            
            VULMON: CVE-2022-2143 // 
            
            
            
            JVNDB: JVNDB-2022-013711 // 
            
            
            
            CNNVD: CNNVD-202206-2735 // 
            
            
            
            NVD: CVE-2022-2143

CREDITS
@rgod777
Trust: 0.7
sources:
            
            
            ZDI: ZDI-22-936

SOURCES
db:ZDIid:ZDI-22-936
db:ZDIid:ZDI-22-935
db:VULHUBid:VHN-426277
db:VULMONid:CVE-2022-2143
db:JVNDBid:JVNDB-2022-013711
db:CNNVDid:CNNVD-202206-2735
db:NVDid:CVE-2022-2143

LAST UPDATE DATE
2024-08-14T13:42:38.295000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-22-936date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-935date:2022-06-30T00:00:00
db:VULHUBid:VHN-426277date:2022-10-26T00:00:00
db:JVNDBid:JVNDB-2022-013711date:2023-09-11T08:17:00
db:CNNVDid:CNNVD-202206-2735date:2023-07-25T00:00:00
db:NVDid:CVE-2022-2143date:2023-07-24T13:08:23.047

SOURCES RELEASE DATE
db:ZDIid:ZDI-22-936date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-935date:2022-06-30T00:00:00
db:VULHUBid:VHN-426277date:2022-07-22T00:00:00
db:JVNDBid:JVNDB-2022-013711date:2023-09-11T00:00:00
db:CNNVDid:CNNVD-202206-2735date:2022-06-28T00:00:00
db:NVDid:CVE-2022-2143date:2022-07-22T15:15:08.463