ID

VAR-202206-2049


CVE

CVE-2022-2138


TITLE

Advantech Co., Ltd.  iView  Vulnerability regarding lack of authentication for critical features in

Trust: 0.8

sources: JVNDB: JVNDB-2022-013714

DESCRIPTION

The affected product is vulnerable due to missing authentication, which may allow an attacker to read or modify sensitive data and execute arbitrary code, resulting in a denial-of-service condition. Advantech Co., Ltd. iView There is a vulnerability in the lack of authentication for critical features.Service operation interruption (DoS) It may be in a state. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. The issue results from the lack of authentication prior to allowing access to the clearDatabase functionality. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Advantech iView

Trust: 3.69

sources: NVD: CVE-2022-2138 // JVNDB: JVNDB-2022-013714 // ZDI: ZDI-22-930 // ZDI: ZDI-22-929 // ZDI: ZDI-22-928 // VULHUB: VHN-426272 // VULMON: CVE-2022-2138

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 2.1

vendor:advantechmodel:iviewscope:ltversion:5.7.04.6469

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion:5.7.04.6469

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope: - version: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

sources: ZDI: ZDI-22-930 // ZDI: ZDI-22-929 // ZDI: ZDI-22-928 // JVNDB: JVNDB-2022-013714 // NVD: CVE-2022-2138

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-2138
value: HIGH

Trust: 2.1

nvd@nist.gov: CVE-2022-2138
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2138
value: HIGH

Trust: 1.0

NVD: CVE-2022-2138
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202206-2724
value: HIGH

Trust: 0.6

ZDI: CVE-2022-2138
baseSeverity: HIGH
baseScore: 8.2
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 4.2
version: 3.0

Trust: 2.1

nvd@nist.gov: CVE-2022-2138
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2138
baseSeverity: HIGH
baseScore: 8.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 4.2
version: 3.1

Trust: 1.0

NVD: CVE-2022-2138
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-22-930 // ZDI: ZDI-22-929 // ZDI: ZDI-22-928 // JVNDB: JVNDB-2022-013714 // CNNVD: CNNVD-202206-2724 // NVD: CVE-2022-2138 // NVD: CVE-2022-2138

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.1

problemtype:Lack of authentication for critical features (CWE-306) [ others ]

Trust: 0.8

sources: VULHUB: VHN-426272 // JVNDB: JVNDB-2022-013714 // NVD: CVE-2022-2138

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2724

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202206-2724

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 2.1

title:Advantech iView Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=201807

Trust: 0.6

sources: ZDI: ZDI-22-930 // ZDI: ZDI-22-929 // ZDI: ZDI-22-928 // CNNVD: CNNVD-202206-2724

EXTERNAL IDS

db:NVDid:CVE-2022-2138

Trust: 5.5

db:ICS CERTid:ICSA-22-179-03

Trust: 2.6

db:JVNid:JVNVU97814223

Trust: 0.8

db:JVNDBid:JVNDB-2022-013714

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-16774

Trust: 0.7

db:ZDIid:ZDI-22-930

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16776

Trust: 0.7

db:ZDIid:ZDI-22-929

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16688

Trust: 0.7

db:ZDIid:ZDI-22-928

Trust: 0.7

db:CS-HELPid:SB2022062918

Trust: 0.6

db:AUSCERTid:ESB-2022.3141

Trust: 0.6

db:CNNVDid:CNNVD-202206-2724

Trust: 0.6

db:VULHUBid:VHN-426272

Trust: 0.1

db:VULMONid:CVE-2022-2138

Trust: 0.1

sources: ZDI: ZDI-22-930 // ZDI: ZDI-22-929 // ZDI: ZDI-22-928 // VULHUB: VHN-426272 // VULMON: CVE-2022-2138 // JVNDB: JVNDB-2022-013714 // CNNVD: CNNVD-202206-2724 // NVD: CVE-2022-2138

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 4.7

url:https://jvn.jp/vu/jvnvu97814223/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-2138

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-2138/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3141

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062918

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03

Trust: 0.6

sources: ZDI: ZDI-22-930 // ZDI: ZDI-22-929 // ZDI: ZDI-22-928 // VULHUB: VHN-426272 // VULMON: CVE-2022-2138 // JVNDB: JVNDB-2022-013714 // CNNVD: CNNVD-202206-2724 // NVD: CVE-2022-2138

CREDITS

rgod

Trust: 1.4

sources: ZDI: ZDI-22-930 // ZDI: ZDI-22-929

SOURCES

db:ZDIid:ZDI-22-930
db:ZDIid:ZDI-22-929
db:ZDIid:ZDI-22-928
db:VULHUBid:VHN-426272
db:VULMONid:CVE-2022-2138
db:JVNDBid:JVNDB-2022-013714
db:CNNVDid:CNNVD-202206-2724
db:NVDid:CVE-2022-2138

LAST UPDATE DATE

2024-08-14T13:42:38.150000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-930date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-929date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-928date:2022-06-30T00:00:00
db:VULHUBid:VHN-426272date:2022-07-28T00:00:00
db:JVNDBid:JVNDB-2022-013714date:2023-09-11T08:18:00
db:CNNVDid:CNNVD-202206-2724date:2022-07-29T00:00:00
db:NVDid:CVE-2022-2138date:2022-07-28T20:12:50.197

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-930date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-929date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-928date:2022-06-30T00:00:00
db:VULHUBid:VHN-426272date:2022-07-22T00:00:00
db:JVNDBid:JVNDB-2022-013714date:2023-09-11T00:00:00
db:CNNVDid:CNNVD-202206-2724date:2022-06-28T00:00:00
db:NVDid:CVE-2022-2138date:2022-07-22T15:15:08.293