Sign-up

ID

VAR-202202-0306


CVE

CVE-2022-23921


TITLE

GE Digital  Made  Proficy CIMPLICITY  Improper Privilege Management Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-001374

DESCRIPTION

Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects. GE Digital Provided by the company Proficy CIMPLICITY teeth, HMI and SCADA It's a platform

Trust: 1.62

sources: NVD: CVE-2022-23921 // JVNDB: JVNDB-2022-001374

AFFECTED PRODUCTS

vendor:gemodel:proficy cimplicitiyscope:lteversion:11.1

Trust: 1.0

vendor:ge デジタルmodel:proficy cimplicityscope:lteversion:v11.1 and earlier s

Trust: 0.8

vendor:ge デジタルmodel:proficy cimplicityscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-001374 // NVD: CVE-2022-23921

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-23921
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-23921
value: HIGH

Trust: 1.0

NVD: CVE-2022-23921
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202202-1768
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-23921
severity: LOW
baseScore: 3.7
vectorString: AV:L/AC:H/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 1.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2022-23921
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-23921
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 5.9
version: 3.1

Trust: 1.0

OTHER: JVNDB-2022-001374
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-001374 // CNNVD: CNNVD-202202-1768 // NVD: CVE-2022-23921 // NVD: CVE-2022-23921

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.0

problemtype:Improper authority management (CWE-269) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-001374 // NVD: CVE-2022-23921

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202202-1768

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202202-1768

PATCH

title:Customer Login GE Digitalurl:https://digitalsupport.ge.com/communities/cc_login?startURL=%2Fen_US%2FDocumentation%2FiFIX-Secure-Deployment-Guide

Trust: 0.8

title:GE Proficy CIMPLICITY-IPM Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=183242

Trust: 0.6

sources: JVNDB: JVNDB-2022-001374 // CNNVD: CNNVD-202202-1768

EXTERNAL IDS

db:NVDid:CVE-2022-23921

Trust: 3.2

db:ICS CERTid:ICSA-22-053-01

Trust: 2.4

db:JVNid:JVNVU97325177

Trust: 0.8

db:JVNDBid:JVNDB-2022-001374

Trust: 0.8

db:AUSCERTid:ESB-2022.0786

Trust: 0.6

db:CS-HELPid:SB2022022305

Trust: 0.6

db:CNNVDid:CNNVD-202202-1768

Trust: 0.6

sources: JVNDB: JVNDB-2022-001374 // CNNVD: CNNVD-202202-1768 // NVD: CVE-2022-23921

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-23921

Trust: 1.4

url:http://jvn.jp/cert/jvnvu97325177/

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-23921/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022022305

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-053-01

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0786

Trust: 0.6

sources: JVNDB: JVNDB-2022-001374 // CNNVD: CNNVD-202202-1768 // NVD: CVE-2022-23921

CREDITS

Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202202-1768

SOURCES

db:JVNDBid:JVNDB-2022-001374
db:CNNVDid:CNNVD-202202-1768
db:NVDid:CVE-2022-23921

LAST UPDATE DATE

2024-11-23T22:57:48.846000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2022-001374date:2024-06-20T09:05:00
db:CNNVDid:CNNVD-202202-1768date:2022-03-10T00:00:00
db:NVDid:CVE-2022-23921date:2024-11-21T06:49:27.780

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2022-001374date:2022-02-25T00:00:00
db:CNNVDid:CNNVD-202202-1768date:2022-02-22T00:00:00
db:NVDid:CVE-2022-23921date:2022-02-25T19:15:24.890