Details of VAR-202203-0228

ID

VAR-202203-0228

CVE

CVE-2022-22985

TITLE

IPCOMM of ipDIO Firmware vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2022-006492

DESCRIPTION

The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to review history. IPCOMM of ipDIO There are unspecified vulnerabilities in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. IPCOMM ipDIO is a remote control communication device of German IPCOMM company. Used to record digital and analog inputs and control digital outputs. A code injection vulnerability exists in IPCOMM ipDIO

Trust: 2.16

sources: NVD: CVE-2022-22985 // JVNDB: JVNDB-2022-006492 // CNVD: CNVD-2022-20533

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-20533

AFFECTED PRODUCTS

vendor:	ipcomm	model:	ipdio	scope:	eq	version:	3.9	Trust: 1.6
vendor:	ipcomm	model:	ipdio	scope:	eq	version:	-	Trust: 0.8
vendor:	ipcomm	model:	ipdio	scope:	eq	version:	ipdio firmware 3.9	Trust: 0.8
vendor:	ipcomm	model:	ipdio	scope:	-	version:	-	Trust: 0.8

sources: CNVD: CNVD-2022-20533 // JVNDB: JVNDB-2022-006492 // NVD: CVE-2022-22985

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22985
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-22985
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-22985
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-20533
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202203-181
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-22985
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-20533
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-22985
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2022-22985
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-20533 // JVNDB: JVNDB-2022-006492 // CNNVD: CNNVD-202203-181 // NVD: CVE-2022-22985 // NVD: CVE-2022-22985

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.0
problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	others (CWE-Other) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-006492 // NVD: CVE-2022-22985

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-181

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202203-181

PATCH

title:	Patch for IPCOMM ipDIO Code Injection Vulnerability (CNVD-2022-20533)	url:	https://www.cnvd.org.cn/patchInfo/show/326471	Trust: 0.6
title:	IPCOMM ipDIO Fixes for code injection vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=184597	Trust: 0.6

sources: CNVD: CNVD-2022-20533 // CNNVD: CNNVD-202203-181

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22985	Trust: 3.8
db:	ICS CERT	id:	ICSA-22-062-01	Trust: 2.4
db:	JVNDB	id:	JVNDB-2022-006492	Trust: 0.8
db:	CNVD	id:	CNVD-2022-20533	Trust: 0.6
db:	CS-HELP	id:	SB2022030402	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-181	Trust: 0.6

sources: CNVD: CNVD-2022-20533 // JVNDB: JVNDB-2022-006492 // CNNVD: CNNVD-202203-181 // NVD: CVE-2022-22985

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22985	Trust: 1.4
url:	https://cxsecurity.com/cveshow/cve-2022-22985/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-062-01	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022030402	Trust: 0.6

sources: CNVD: CNVD-2022-20533 // JVNDB: JVNDB-2022-006492 // CNNVD: CNNVD-202203-181 // NVD: CVE-2022-22985

CREDITS

Aarón Flecha Menéndez of S21Sec reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202203-181

SOURCES

db:	CNVD	id:	CNVD-2022-20533
db:	JVNDB	id:	JVNDB-2022-006492
db:	CNNVD	id:	CNNVD-202203-181
db:	NVD	id:	CVE-2022-22985

LAST UPDATE DATE

2024-11-23T22:15:55.546000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-20533	date:	2022-03-18T00:00:00
db:	JVNDB	id:	JVNDB-2022-006492	date:	2023-07-05T08:10:00
db:	CNNVD	id:	CNNVD-202203-181	date:	2023-06-28T00:00:00
db:	NVD	id:	CVE-2022-22985	date:	2024-11-21T06:47:44.610

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-20533	date:	2022-03-17T00:00:00
db:	JVNDB	id:	JVNDB-2022-006492	date:	2023-07-05T00:00:00
db:	CNNVD	id:	CNNVD-202203-181	date:	2022-03-03T00:00:00
db:	NVD	id:	CVE-2022-22985	date:	2022-03-10T17:45:43.893