Details of VAR-202206-2048

ID

VAR-202206-2048

CVE

CVE-2022-2139

TITLE

Advantech Co., Ltd. iView Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-013713

DESCRIPTION

The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code. Advantech Co., Ltd. iView Exists in a past traversal vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the filename element of the exportDeviceList action, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Advantech iView

Trust: 3.69

sources: NVD: CVE-2022-2139 // JVNDB: JVNDB-2022-013713 // ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // VULHUB: VHN-426273 // VULMON: CVE-2022-2139

AFFECTED PRODUCTS

vendor:	advantech	model:	iview	scope:	-	version:	-	Trust: 2.1
vendor:	advantech	model:	iview	scope:	lt	version:	5.7.04.6469	Trust: 1.0
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	5.7.04.6469	Trust: 0.8
vendor:	アドバンテック株式会社	model:	iview	scope:	-	version:	-	Trust: 0.8
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	-	Trust: 0.8

sources: ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // JVNDB: JVNDB-2022-013713 // NVD: CVE-2022-2139

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2022-2139
value:	CRITICAL
Trust: 1.4
nvd@nist.gov:	CVE-2022-2139
value:	CRITICAL
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-2139
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-2139
value:	CRITICAL
Trust: 0.8
ZDI:	CVE-2022-2139
value:	MEDIUM
Trust: 0.7
CNNVD:	CNNVD-202206-2728
value:	CRITICAL
Trust: 0.6

ZDI:	CVE-2022-2139
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.4
nvd@nist.gov:	CVE-2022-2139
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-2139
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-2139
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2022-2139
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // JVNDB: JVNDB-2022-013713 // CNNVD: CNNVD-202206-2728 // NVD: CVE-2022-2139 // NVD: CVE-2022-2139

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	CWE-23	Trust: 1.0
problemtype:	Path traversal (CWE-22) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-426273 // JVNDB: JVNDB-2022-013713 // NVD: CVE-2022-2139

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2728

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202206-2728

PATCH

title:	Advantech has issued an update to correct this vulnerability.	url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03	Trust: 2.1
title:	Advantech iView Repair measures for path traversal vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=201955	Trust: 0.6

sources: ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // CNNVD: CNNVD-202206-2728

EXTERNAL IDS

db:	NVD	id:	CVE-2022-2139	Trust: 5.5
db:	ICS CERT	id:	ICSA-22-179-03	Trust: 2.6
db:	JVN	id:	JVNVU97814223	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-013713	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-16783	Trust: 0.7
db:	ZDI	id:	ZDI-22-933	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16702	Trust: 0.7
db:	ZDI	id:	ZDI-22-932	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16701	Trust: 0.7
db:	ZDI	id:	ZDI-22-931	Trust: 0.7
db:	CS-HELP	id:	SB2022062918	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.3141	Trust: 0.6
db:	CNNVD	id:	CNNVD-202206-2728	Trust: 0.6
db:	VULHUB	id:	VHN-426273	Trust: 0.1
db:	VULMON	id:	CVE-2022-2139	Trust: 0.1

sources: ZDI: ZDI-22-933 // ZDI: ZDI-22-932 // ZDI: ZDI-22-931 // VULHUB: VHN-426273 // VULMON: CVE-2022-2139 // JVNDB: JVNDB-2022-013713 // CNNVD: CNNVD-202206-2728 // NVD: CVE-2022-2139

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03	Trust: 4.7
url:	https://jvn.jp/vu/jvnvu97814223/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-2139	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2022.3141	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022062918	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-2139/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03	Trust: 0.6

CREDITS

@rgod777

Trust: 1.4

sources: ZDI: ZDI-22-932 // ZDI: ZDI-22-931

SOURCES

db:	ZDI	id:	ZDI-22-933
db:	ZDI	id:	ZDI-22-932
db:	ZDI	id:	ZDI-22-931
db:	VULHUB	id:	VHN-426273
db:	VULMON	id:	CVE-2022-2139
db:	JVNDB	id:	JVNDB-2022-013713
db:	CNNVD	id:	CNNVD-202206-2728
db:	NVD	id:	CVE-2022-2139

LAST UPDATE DATE

2024-08-14T13:42:38.031000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-933	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-932	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-931	date:	2022-06-30T00:00:00
db:	VULHUB	id:	VHN-426273	date:	2022-07-29T00:00:00
db:	JVNDB	id:	JVNDB-2022-013713	date:	2023-09-11T08:18:00
db:	CNNVD	id:	CNNVD-202206-2728	date:	2022-08-01T00:00:00
db:	NVD	id:	CVE-2022-2139	date:	2022-07-29T01:19:10.197

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-933	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-932	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-931	date:	2022-06-30T00:00:00
db:	VULHUB	id:	VHN-426273	date:	2022-07-22T00:00:00
db:	JVNDB	id:	JVNDB-2022-013713	date:	2023-09-11T00:00:00
db:	CNNVD	id:	CNNVD-202206-2728	date:	2022-06-28T00:00:00
db:	NVD	id:	CVE-2022-2139	date:	2022-07-22T15:15:08.350