Details of VAR-202210-0318

ID

VAR-202210-0318

CVE

CVE-2022-3158

TITLE

Rockwell Automation of factorytalk vantagepoint In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-019486

DESCRIPTION

Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an input validation vulnerability. The FactoryTalk VantagePoint SQL Server lacks input validation when users enter SQL statements to retrieve information from the back-end database. If successfully exploited, this could allow a user with basic user privileges to perform remote code execution on the server. Rockwell Automation of factorytalk vantagepoint for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-3158 // JVNDB: JVNDB-2022-019486 // VULHUB: VHN-430800

AFFECTED PRODUCTS

vendor:	rockwellautomation	model:	factorytalk vantagepoint	scope:	eq	version:	8.31	Trust: 1.0
vendor:	rockwellautomation	model:	factorytalk vantagepoint	scope:	eq	version:	8.0	Trust: 1.0
vendor:	rockwellautomation	model:	factorytalk vantagepoint	scope:	eq	version:	8.10	Trust: 1.0
vendor:	rockwellautomation	model:	factorytalk vantagepoint	scope:	eq	version:	8.30	Trust: 1.0
vendor:	rockwellautomation	model:	factorytalk vantagepoint	scope:	eq	version:	8.20	Trust: 1.0
vendor:	rockwell automation	model:	factorytalk vantagepoint	scope:	eq	version:	8.10	Trust: 0.8
vendor:	rockwell automation	model:	factorytalk vantagepoint	scope:	-	version:	-	Trust: 0.8
vendor:	rockwell automation	model:	factorytalk vantagepoint	scope:	eq	version:	8.30	Trust: 0.8
vendor:	rockwell automation	model:	factorytalk vantagepoint	scope:	eq	version:	8.20	Trust: 0.8
vendor:	rockwell automation	model:	factorytalk vantagepoint	scope:	eq	version:	8.31	Trust: 0.8
vendor:	rockwell automation	model:	factorytalk vantagepoint	scope:	eq	version:	8.0	Trust: 0.8
vendor:	rockwell automation	model:	factorytalk vantagepoint	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-019486 // NVD: CVE-2022-3158

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-3158
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-3158
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202210-249
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-3158
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-3158
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-019486 // CNNVD: CNNVD-202210-249 // NVD: CVE-2022-3158

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-430800 // JVNDB: JVNDB-2022-019486 // NVD: CVE-2022-3158

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-249

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202210-249

PATCH

title:

Rockwell Automation Factory Talk VantagePoint SQL Repair measures for injecting vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=211448

Trust: 0.6

sources: CNNVD: CNNVD-202210-249

EXTERNAL IDS

db:	NVD	id:	CVE-2022-3158	Trust: 3.3
db:	ICS CERT	id:	ICSA-22-279-01	Trust: 1.4
db:	JVN	id:	JVNVU90214809	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-019486	Trust: 0.8
db:	CNNVD	id:	CNNVD-202210-249	Trust: 0.6
db:	VULHUB	id:	VHN-430800	Trust: 0.1

sources: VULHUB: VHN-430800 // JVNDB: JVNDB-2022-019486 // CNNVD: CNNVD-202210-249 // NVD: CVE-2022-3158

REFERENCES

url:	https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1137043	Trust: 1.7
url:	https://jvn.jp/vu/jvnvu90214809/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-3158	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-22-279-01	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-3158/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-279-01	Trust: 0.6

sources: VULHUB: VHN-430800 // JVNDB: JVNDB-2022-019486 // CNNVD: CNNVD-202210-249 // NVD: CVE-2022-3158

CREDITS

Rockwell Automation reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202210-249

SOURCES

db:	VULHUB	id:	VHN-430800
db:	JVNDB	id:	JVNDB-2022-019486
db:	CNNVD	id:	CNNVD-202210-249
db:	NVD	id:	CVE-2022-3158

LAST UPDATE DATE

2024-08-14T14:02:20.469000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-430800	date:	2022-10-20T00:00:00
db:	JVNDB	id:	JVNDB-2022-019486	date:	2023-10-25T08:15:00
db:	CNNVD	id:	CNNVD-202210-249	date:	2022-10-21T00:00:00
db:	NVD	id:	CVE-2022-3158	date:	2022-10-20T14:42:28.307

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-430800	date:	2022-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2022-019486	date:	2023-10-25T00:00:00
db:	CNNVD	id:	CNNVD-202210-249	date:	2022-10-06T00:00:00
db:	NVD	id:	CVE-2022-3158	date:	2022-10-17T22:15:10.437