ID

VAR-202206-2048


CVE

CVE-2022-2139


TITLE

Advantech Co., Ltd.  iView  Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-013713

DESCRIPTION

The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code. Advantech Co., Ltd. iView Exists in a past traversal vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the filename element of the exportDeviceList action, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Advantech iView

Trust: 3.69

sources: NVD: CVE-2022-2139 // JVNDB: JVNDB-2022-013713 // ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // VULHUB: VHN-426273 // VULMON: CVE-2022-2139

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 2.1

vendor:advantechmodel:iviewscope:ltversion:5.7.04.6469

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion:5.7.04.6469

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope: - version: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

sources: ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // JVNDB: JVNDB-2022-013713 // NVD: CVE-2022-2139

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-2139
value: CRITICAL

Trust: 1.4

nvd@nist.gov: CVE-2022-2139
value: CRITICAL

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2139
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-2139
value: CRITICAL

Trust: 0.8

ZDI: CVE-2022-2139
value: MEDIUM

Trust: 0.7

CNNVD: CNNVD-202206-2728
value: CRITICAL

Trust: 0.6

ZDI: CVE-2022-2139
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.4

nvd@nist.gov: CVE-2022-2139
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2139
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-2139
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2022-2139
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // JVNDB: JVNDB-2022-013713 // CNNVD: CNNVD-202206-2728 // NVD: CVE-2022-2139 // NVD: CVE-2022-2139

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.1

problemtype:CWE-23

Trust: 1.0

problemtype:Path traversal (CWE-22) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-426273 // JVNDB: JVNDB-2022-013713 // NVD: CVE-2022-2139

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2728

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202206-2728

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 2.1

title:Advantech iView Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=201955

Trust: 0.6

sources: ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // CNNVD: CNNVD-202206-2728

EXTERNAL IDS

db:NVDid:CVE-2022-2139

Trust: 5.5

db:ICS CERTid:ICSA-22-179-03

Trust: 2.6

db:JVNid:JVNVU97814223

Trust: 0.8

db:JVNDBid:JVNDB-2022-013713

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-16783

Trust: 0.7

db:ZDIid:ZDI-22-933

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16702

Trust: 0.7

db:ZDIid:ZDI-22-932

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16701

Trust: 0.7

db:ZDIid:ZDI-22-931

Trust: 0.7

db:CS-HELPid:SB2022062918

Trust: 0.6

db:AUSCERTid:ESB-2022.3141

Trust: 0.6

db:CNNVDid:CNNVD-202206-2728

Trust: 0.6

db:VULHUBid:VHN-426273

Trust: 0.1

db:VULMONid:CVE-2022-2139

Trust: 0.1

sources: ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // VULHUB: VHN-426273 // VULMON: CVE-2022-2139 // JVNDB: JVNDB-2022-013713 // CNNVD: CNNVD-202206-2728 // NVD: CVE-2022-2139

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 4.7

url:https://jvn.jp/vu/jvnvu97814223/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-2139

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2022.3141

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062918

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-2139/

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03

Trust: 0.6

sources: ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // VULHUB: VHN-426273 // VULMON: CVE-2022-2139 // JVNDB: JVNDB-2022-013713 // CNNVD: CNNVD-202206-2728 // NVD: CVE-2022-2139

CREDITS

@rgod777

Trust: 1.4

sources: ZDI: ZDI-22-932 // ZDI: ZDI-22-931

SOURCES

db:ZDIid:ZDI-22-933
db:ZDIid:ZDI-22-932
db:ZDIid:ZDI-22-931
db:VULHUBid:VHN-426273
db:VULMONid:CVE-2022-2139
db:JVNDBid:JVNDB-2022-013713
db:CNNVDid:CNNVD-202206-2728
db:NVDid:CVE-2022-2139

LAST UPDATE DATE

2024-08-14T13:42:38.031000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-933date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-932date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-931date:2022-06-30T00:00:00
db:VULHUBid:VHN-426273date:2022-07-29T00:00:00
db:JVNDBid:JVNDB-2022-013713date:2023-09-11T08:18:00
db:CNNVDid:CNNVD-202206-2728date:2022-08-01T00:00:00
db:NVDid:CVE-2022-2139date:2022-07-29T01:19:10.197

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-933date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-932date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-931date:2022-06-30T00:00:00
db:VULHUBid:VHN-426273date:2022-07-22T00:00:00
db:JVNDBid:JVNDB-2022-013713date:2023-09-11T00:00:00
db:CNNVDid:CNNVD-202206-2728date:2022-06-28T00:00:00
db:NVDid:CVE-2022-2139date:2022-07-22T15:15:08.350