Sign-up

ID

VAR-202202-1889


CVE

CVE-2022-21168


TITLE

Alpha5 Smart Loader  Uninitialized pointer access vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2022-001574

DESCRIPTION

The affected product is vulnerable due to an invalid pointer initialization, which may lead to information disclosure. Alpha5 Smart Loader There is a vulnerability in the firmware regarding access to uninitialized pointers.Information may be obtained. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Fuji Electric Alpha5. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of C5V files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process

Trust: 2.34

sources: NVD: CVE-2022-21168 // JVNDB: JVNDB-2022-001574 // ZDI: ZDI-22-387 // VULMON: CVE-2022-21168

AFFECTED PRODUCTS

vendor:fujielectricmodel:alpha5 smart loaderscope:ltversion:4.3

Trust: 1.0

vendor:富士電機model:alpha5 smart loaderscope: - version: -

Trust: 0.8

vendor:富士電機model:alpha5 smart loaderscope:eqversion:alpha5 smart loader firmware

Trust: 0.8

vendor:富士電機model:alpha5 smart loaderscope:eqversion: -

Trust: 0.8

vendor:fuji electricmodel:alpha5scope: - version: -

Trust: 0.7

sources: ZDI: ZDI-22-387 // JVNDB: JVNDB-2022-001574 // NVD: CVE-2022-21168

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-21168
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-21168
value: LOW

Trust: 1.0

NVD: CVE-2022-21168
value: MEDIUM

Trust: 0.8

ZDI: CVE-2022-21168
value: LOW

Trust: 0.7

CNNVD: CNNVD-202203-2669
value: MEDIUM

Trust: 0.6

VULMON: CVE-2022-21168
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-21168
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2022-21168
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-21168
baseSeverity: LOW
baseScore: 3.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-21168
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2022-21168
baseSeverity: LOW
baseScore: 3.3
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 1.4
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-387 // VULMON: CVE-2022-21168 // JVNDB: JVNDB-2022-001574 // CNNVD: CNNVD-202203-2669 // NVD: CVE-2022-21168 // NVD: CVE-2022-21168

PROBLEMTYPE DATA

problemtype:CWE-824

Trust: 1.0

problemtype:Accessing uninitialized pointers (CWE-824) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-001574 // NVD: CVE-2022-21168

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-2669

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202203-2669

PATCH

title:top pageurl:https://www.fujielectric.co.jp/

Trust: 0.8

title:Fuji Electric Alpha5 Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190336

Trust: 0.6

sources: JVNDB: JVNDB-2022-001574 // CNNVD: CNNVD-202203-2669

EXTERNAL IDS

db:NVDid:CVE-2022-21168

Trust: 4.0

db:ICS CERTid:ICSA-22-090-03

Trust: 2.5

db:JVNid:JVNVU94149543

Trust: 0.8

db:JVNDBid:JVNDB-2022-001574

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-13876

Trust: 0.7

db:ZDIid:ZDI-22-387

Trust: 0.7

db:CNNVDid:CNNVD-202203-2669

Trust: 0.6

db:VULMONid:CVE-2022-21168

Trust: 0.1

sources: ZDI: ZDI-22-387 // VULMON: CVE-2022-21168 // JVNDB: JVNDB-2022-001574 // CNNVD: CNNVD-202203-2669 // NVD: CVE-2022-21168

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-03

Trust: 2.6

url:http://jvn.jp/vu/jvnvu94149543/index.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-21168

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-21168/

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-090-03

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/824.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2022-21168 // JVNDB: JVNDB-2022-001574 // CNNVD: CNNVD-202203-2669 // NVD: CVE-2022-21168

CREDITS

xina1i

Trust: 0.7

sources: ZDI: ZDI-22-387

SOURCES

db:ZDIid:ZDI-22-387
db:VULMONid:CVE-2022-21168
db:JVNDBid:JVNDB-2022-001574
db:CNNVDid:CNNVD-202203-2669
db:NVDid:CVE-2022-21168

LAST UPDATE DATE

2024-11-23T22:10:53.650000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-387date:2022-03-23T00:00:00
db:VULMONid:CVE-2022-21168date:2022-04-21T00:00:00
db:JVNDBid:JVNDB-2022-001574date:2022-04-25T07:45:00
db:CNNVDid:CNNVD-202203-2669date:2022-04-22T00:00:00
db:NVDid:CVE-2022-21168date:2024-11-21T06:44:01.630

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-387date:2022-02-22T00:00:00
db:VULMONid:CVE-2022-21168date:2022-04-12T00:00:00
db:JVNDBid:JVNDB-2022-001574date:2022-04-25T00:00:00
db:CNNVDid:CNNVD-202203-2669date:2022-03-31T00:00:00
db:NVDid:CVE-2022-21168date:2022-04-12T17:15:09.053