Sign-up

ID

VAR-202110-2121


CVE

CVE-2022-21202


TITLE

Alpha5 Smart Loader  Firmware out-of-bounds read vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-001575

DESCRIPTION

The affected product is vulnerable to an out-of-bounds read, which may result in disclosure of sensitive information. Alpha5 Smart Loader There is an out-of-bounds read vulnerability in the firmware.Information may be obtained. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Fuji Electric Alpha5. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of A5V files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process

Trust: 2.97

sources: NVD: CVE-2022-21202 // JVNDB: JVNDB-2022-001575 // ZDI: ZDI-22-388 // ZDI: ZDI-21-1211 // VULMON: CVE-2022-21202

AFFECTED PRODUCTS

vendor:fuji electricmodel:alpha5scope: - version: -

Trust: 1.4

vendor:fujielectricmodel:alpha5 smart loaderscope:ltversion:4.3

Trust: 1.0

vendor:富士電機model:alpha5 smart loaderscope: - version: -

Trust: 0.8

vendor:富士電機model:alpha5 smart loaderscope:eqversion:alpha5 smart loader firmware

Trust: 0.8

vendor:富士電機model:alpha5 smart loaderscope:eqversion: -

Trust: 0.8

sources: ZDI: ZDI-22-388 // ZDI: ZDI-21-1211 // JVNDB: JVNDB-2022-001575 // NVD: CVE-2022-21202

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-21202
value: LOW

Trust: 1.4

nvd@nist.gov: CVE-2022-21202
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-21202
value: LOW

Trust: 1.0

NVD: CVE-2022-21202
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202203-2666
value: MEDIUM

Trust: 0.6

VULMON: CVE-2022-21202
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-21202
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

ZDI: CVE-2022-21202
baseSeverity: LOW
baseScore: 3.3
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 1.4
version: 3.0

Trust: 1.4

nvd@nist.gov: CVE-2022-21202
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-21202
baseSeverity: LOW
baseScore: 3.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-21202
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-22-388 // ZDI: ZDI-21-1211 // VULMON: CVE-2022-21202 // JVNDB: JVNDB-2022-001575 // CNNVD: CNNVD-202203-2666 // NVD: CVE-2022-21202 // NVD: CVE-2022-21202

PROBLEMTYPE DATA

problemtype:CWE-125

Trust: 1.0

problemtype:Out-of-bounds read (CWE-125) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-001575 // NVD: CVE-2022-21202

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-2666

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202203-2666

PATCH

title:top pageurl:https://www.fujielectric.co.jp/

Trust: 0.8

title:Fuji Electric Alpha5 Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190335

Trust: 0.6

sources: JVNDB: JVNDB-2022-001575 // CNNVD: CNNVD-202203-2666

EXTERNAL IDS

db:NVDid:CVE-2022-21202

Trust: 4.7

db:ICS CERTid:ICSA-22-090-03

Trust: 2.5

db:JVNid:JVNVU94149543

Trust: 0.8

db:JVNDBid:JVNDB-2022-001575

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-13938

Trust: 0.7

db:ZDIid:ZDI-22-388

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-13999

Trust: 0.7

db:ZDIid:ZDI-21-1211

Trust: 0.7

db:CNNVDid:CNNVD-202203-2666

Trust: 0.6

db:VULMONid:CVE-2022-21202

Trust: 0.1

sources: ZDI: ZDI-22-388 // ZDI: ZDI-21-1211 // VULMON: CVE-2022-21202 // JVNDB: JVNDB-2022-001575 // CNNVD: CNNVD-202203-2666 // NVD: CVE-2022-21202

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-03

Trust: 2.6

url:http://jvn.jp/vu/jvnvu94149543/index.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-21202

Trust: 0.8

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-090-03

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-21202/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/125.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2022-21202 // JVNDB: JVNDB-2022-001575 // CNNVD: CNNVD-202203-2666 // NVD: CVE-2022-21202

CREDITS

xina1i

Trust: 1.4

sources: ZDI: ZDI-22-388 // ZDI: ZDI-21-1211

SOURCES

db:ZDIid:ZDI-22-388
db:ZDIid:ZDI-21-1211
db:VULMONid:CVE-2022-21202
db:JVNDBid:JVNDB-2022-001575
db:CNNVDid:CNNVD-202203-2666
db:NVDid:CVE-2022-21202

LAST UPDATE DATE

2024-11-23T22:10:53.616000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-388date:2022-03-23T00:00:00
db:ZDIid:ZDI-21-1211date:2022-03-23T00:00:00
db:VULMONid:CVE-2022-21202date:2022-04-21T00:00:00
db:JVNDBid:JVNDB-2022-001575date:2022-04-25T07:48:00
db:CNNVDid:CNNVD-202203-2666date:2022-04-22T00:00:00
db:NVDid:CVE-2022-21202date:2024-11-21T06:44:05.777

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-388date:2022-03-23T00:00:00
db:ZDIid:ZDI-21-1211date:2021-10-15T00:00:00
db:VULMONid:CVE-2022-21202date:2022-04-12T00:00:00
db:JVNDBid:JVNDB-2022-001575date:2022-04-25T00:00:00
db:CNNVDid:CNNVD-202203-2666date:2022-03-31T00:00:00
db:NVDid:CVE-2022-21202date:2022-04-12T17:15:09.110