ID

VAR-202206-2047


CVE

CVE-2022-2143


TITLE

Advantech Co., Ltd.  iView  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-013711

DESCRIPTION

The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code. Advantech Co., Ltd. iView Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the backup_filename element of the backupDatabase action, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Advantech iView

Trust: 3.06

sources: NVD: CVE-2022-2143 // JVNDB: JVNDB-2022-013711 // ZDI: ZDI-22-936 // ZDI: ZDI-22-935 // VULHUB: VHN-426277 // VULMON: CVE-2022-2143

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 1.4

vendor:advantechmodel:iviewscope:ltversion:5.7.04.6469

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion:5.7.04.6469

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope: - version: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

sources: ZDI: ZDI-22-936 // ZDI: ZDI-22-935 // JVNDB: JVNDB-2022-013711 // NVD: CVE-2022-2143

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-2143
value: CRITICAL

Trust: 1.4

nvd@nist.gov: CVE-2022-2143
value: CRITICAL

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2143
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-2143
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202206-2735
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2022-2143
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 2.0

ZDI: CVE-2022-2143
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.4

NVD: CVE-2022-2143
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-22-936 // ZDI: ZDI-22-935 // JVNDB: JVNDB-2022-013711 // CNNVD: CNNVD-202206-2735 // NVD: CVE-2022-2143 // NVD: CVE-2022-2143

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.1

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:others (CWE-Other) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-426277 // JVNDB: JVNDB-2022-013711 // NVD: CVE-2022-2143

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2735

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202206-2735

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-426277

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 1.4

title:Advantech iView Fixes for command injection vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=197831

Trust: 0.6

sources: ZDI: ZDI-22-936 // ZDI: ZDI-22-935 // CNNVD: CNNVD-202206-2735

EXTERNAL IDS

db:NVDid:CVE-2022-2143

Trust: 4.8

db:ICS CERTid:ICSA-22-179-03

Trust: 2.6

db:PACKETSTORMid:168108

Trust: 2.5

db:JVNid:JVNVU97814223

Trust: 0.8

db:JVNDBid:JVNDB-2022-013711

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-16685

Trust: 0.7

db:ZDIid:ZDI-22-936

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16528

Trust: 0.7

db:ZDIid:ZDI-22-935

Trust: 0.7

db:CS-HELPid:SB2022062918

Trust: 0.6

db:AUSCERTid:ESB-2022.3141

Trust: 0.6

db:CNNVDid:CNNVD-202206-2735

Trust: 0.6

db:VULHUBid:VHN-426277

Trust: 0.1

db:VULMONid:CVE-2022-2143

Trust: 0.1

sources: ZDI: ZDI-22-936 // ZDI: ZDI-22-935 // VULHUB: VHN-426277 // VULMON: CVE-2022-2143 // JVNDB: JVNDB-2022-013711 // CNNVD: CNNVD-202206-2735 // NVD: CVE-2022-2143

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 4.0

url:http://packetstormsecurity.com/files/168108/advantech-iview-networkservlet-command-injection.html

Trust: 3.1

url:https://jvn.jp/vu/jvnvu97814223/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-2143

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-2143/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3141

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062918

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03

Trust: 0.6

sources: ZDI: ZDI-22-936 // ZDI: ZDI-22-935 // VULHUB: VHN-426277 // VULMON: CVE-2022-2143 // JVNDB: JVNDB-2022-013711 // CNNVD: CNNVD-202206-2735 // NVD: CVE-2022-2143

CREDITS

@rgod777

Trust: 0.7

sources: ZDI: ZDI-22-936

SOURCES

db:ZDIid:ZDI-22-936
db:ZDIid:ZDI-22-935
db:VULHUBid:VHN-426277
db:VULMONid:CVE-2022-2143
db:JVNDBid:JVNDB-2022-013711
db:CNNVDid:CNNVD-202206-2735
db:NVDid:CVE-2022-2143

LAST UPDATE DATE

2024-08-14T13:42:38.295000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-936date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-935date:2022-06-30T00:00:00
db:VULHUBid:VHN-426277date:2022-10-26T00:00:00
db:JVNDBid:JVNDB-2022-013711date:2023-09-11T08:17:00
db:CNNVDid:CNNVD-202206-2735date:2023-07-25T00:00:00
db:NVDid:CVE-2022-2143date:2023-07-24T13:08:23.047

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-936date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-935date:2022-06-30T00:00:00
db:VULHUBid:VHN-426277date:2022-07-22T00:00:00
db:JVNDBid:JVNDB-2022-013711date:2023-09-11T00:00:00
db:CNNVDid:CNNVD-202206-2735date:2022-06-28T00:00:00
db:NVDid:CVE-2022-2143date:2022-07-22T15:15:08.463