Sign-up

ID

VAR-202206-2050


CVE

CVE-2022-2135


TITLE

Advantech Co., Ltd.  iView  In  SQL  Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-013717

DESCRIPTION

The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information. Advantech Co., Ltd. iView for, SQL There is an injection vulnerability.Information may be obtained. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the CREATE_DATE element of the removeSearchDevicesFromTask action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise

Trust: 11.79

sources: NVD: CVE-2022-2135 // JVNDB: JVNDB-2022-013717 // ZDI: ZDI-22-918 // ZDI: ZDI-22-884 // ZDI: ZDI-22-885 // ZDI: ZDI-22-889 // ZDI: ZDI-22-894 // ZDI: ZDI-22-895 // ZDI: ZDI-22-899 // ZDI: ZDI-22-919 // ZDI: ZDI-22-905 // ZDI: ZDI-22-909 // ZDI: ZDI-22-913 // ZDI: ZDI-22-914 // ZDI: ZDI-22-915 // ZDI: ZDI-22-916 // ZDI: ZDI-22-917 // ZDI: ZDI-22-904 // VULHUB: VHN-426269

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 11.2

vendor:advantechmodel:iviewscope:ltversion:5.7.04.6469

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion:5.7.04.6469

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope: - version: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-909 // ZDI: ZDI-22-905 // ZDI: ZDI-22-904 // ZDI: ZDI-22-899 // ZDI: ZDI-22-895 // ZDI: ZDI-22-894 // ZDI: ZDI-22-889 // ZDI: ZDI-22-885 // ZDI: ZDI-22-884 // JVNDB: JVNDB-2022-013717 // NVD: CVE-2022-2135

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-2135
value: HIGH

Trust: 8.4

ZDI: CVE-2022-2135
value: CRITICAL

Trust: 2.8

nvd@nist.gov: CVE-2022-2135
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2135
value: HIGH

Trust: 1.0

NVD: CVE-2022-2135
value: HIGH

Trust: 0.8

ZDI: CVE-2022-2135
baseSeverity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 8.4

ZDI: CVE-2022-2135
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 2.8

nvd@nist.gov: CVE-2022-2135
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 2.0

NVD: CVE-2022-2135
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-909 // ZDI: ZDI-22-905 // ZDI: ZDI-22-904 // ZDI: ZDI-22-899 // ZDI: ZDI-22-895 // ZDI: ZDI-22-894 // ZDI: ZDI-22-889 // ZDI: ZDI-22-885 // ZDI: ZDI-22-884 // JVNDB: JVNDB-2022-013717 // NVD: CVE-2022-2135 // NVD: CVE-2022-2135

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

problemtype:SQL injection (CWE-89) [ others ]

Trust: 0.8

sources: VULHUB: VHN-426269 // JVNDB: JVNDB-2022-013717 // NVD: CVE-2022-2135

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 11.2

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-909 // ZDI: ZDI-22-905 // ZDI: ZDI-22-904 // ZDI: ZDI-22-899 // ZDI: ZDI-22-895 // ZDI: ZDI-22-894 // ZDI: ZDI-22-889 // ZDI: ZDI-22-885 // ZDI: ZDI-22-884

EXTERNAL IDS

db:NVDid:CVE-2022-2135

Trust: 13.9

db:ICS CERTid:ICSA-22-179-03

Trust: 1.9

db:JVNid:JVNVU97814223

Trust: 0.8

db:JVNDBid:JVNDB-2022-013717

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-16750

Trust: 0.7

db:ZDIid:ZDI-22-919

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16529

Trust: 0.7

db:ZDIid:ZDI-22-918

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16535

Trust: 0.7

db:ZDIid:ZDI-22-917

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16561

Trust: 0.7

db:ZDIid:ZDI-22-916

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16585

Trust: 0.7

db:ZDIid:ZDI-22-915

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16562

Trust: 0.7

db:ZDIid:ZDI-22-914

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16591

Trust: 0.7

db:ZDIid:ZDI-22-913

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16660

Trust: 0.7

db:ZDIid:ZDI-22-909

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16583

Trust: 0.7

db:ZDIid:ZDI-22-905

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16592

Trust: 0.7

db:ZDIid:ZDI-22-904

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16545

Trust: 0.7

db:ZDIid:ZDI-22-899

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16544

Trust: 0.7

db:ZDIid:ZDI-22-895

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16649

Trust: 0.7

db:ZDIid:ZDI-22-894

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16550

Trust: 0.7

db:ZDIid:ZDI-22-889

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16584

Trust: 0.7

db:ZDIid:ZDI-22-885

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16658

Trust: 0.7

db:ZDIid:ZDI-22-884

Trust: 0.7

db:VULHUBid:VHN-426269

Trust: 0.1

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-909 // ZDI: ZDI-22-905 // ZDI: ZDI-22-904 // ZDI: ZDI-22-899 // ZDI: ZDI-22-895 // ZDI: ZDI-22-894 // ZDI: ZDI-22-889 // ZDI: ZDI-22-885 // ZDI: ZDI-22-884 // VULHUB: VHN-426269 // JVNDB: JVNDB-2022-013717 // NVD: CVE-2022-2135

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 13.1

url:https://jvn.jp/vu/jvnvu97814223/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-2135

Trust: 0.8

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-909 // ZDI: ZDI-22-905 // ZDI: ZDI-22-904 // ZDI: ZDI-22-899 // ZDI: ZDI-22-895 // ZDI: ZDI-22-894 // ZDI: ZDI-22-889 // ZDI: ZDI-22-885 // ZDI: ZDI-22-884 // VULHUB: VHN-426269 // JVNDB: JVNDB-2022-013717 // NVD: CVE-2022-2135

CREDITS

@rgod777

Trust: 7.7

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-909 // ZDI: ZDI-22-905 // ZDI: ZDI-22-904 // ZDI: ZDI-22-894 // ZDI: ZDI-22-885 // ZDI: ZDI-22-884

SOURCES

db:ZDIid:ZDI-22-919
db:ZDIid:ZDI-22-918
db:ZDIid:ZDI-22-917
db:ZDIid:ZDI-22-916
db:ZDIid:ZDI-22-915
db:ZDIid:ZDI-22-914
db:ZDIid:ZDI-22-913
db:ZDIid:ZDI-22-909
db:ZDIid:ZDI-22-905
db:ZDIid:ZDI-22-904
db:ZDIid:ZDI-22-899
db:ZDIid:ZDI-22-895
db:ZDIid:ZDI-22-894
db:ZDIid:ZDI-22-889
db:ZDIid:ZDI-22-885
db:ZDIid:ZDI-22-884
db:VULHUBid:VHN-426269
db:JVNDBid:JVNDB-2022-013717
db:NVDid:CVE-2022-2135

LAST UPDATE DATE

2024-08-30T22:45:46.424000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-919date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-918date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-917date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-916date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-915date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-914date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-913date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-909date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-905date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-904date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-899date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-895date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-894date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-889date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-885date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-884date:2022-06-30T00:00:00
db:VULHUBid:VHN-426269date:2022-07-28T00:00:00
db:JVNDBid:JVNDB-2022-013717date:2023-09-11T08:18:00
db:NVDid:CVE-2022-2135date:2022-07-28T20:10:10.260

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-919date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-918date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-917date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-916date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-915date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-914date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-913date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-909date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-905date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-904date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-899date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-895date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-894date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-889date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-885date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-884date:2022-06-30T00:00:00
db:VULHUBid:VHN-426269date:2022-07-22T00:00:00
db:JVNDBid:JVNDB-2022-013717date:2023-09-11T00:00:00
db:NVDid:CVE-2022-2135date:2022-07-22T15:15:08.117