Sign-up

ID

VAR-202203-1574


CVE

CVE-2022-1018


TITLE

Rockwell Automation  Made  ISaGRAF  In  XML  Improper restriction vulnerability in external entity reference

Trust: 0.8

sources: JVNDB: JVNDB-2022-001497

DESCRIPTION

When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality. Rockwell Automation ISaGRAF is an automation software technology developed by Rockwell Automation in the United States for creating integrated automation solutions. It is designed to be scalable and portable, suitable for developing small controllers and large distributed automation systems

Trust: 1.71

sources: NVD: CVE-2022-1018 // JVNDB: JVNDB-2022-001497 // VULHUB: VHN-417838

AFFECTED PRODUCTS

vendor:rockwellautomationmodel:safety instrumented systems workstationscope:lteversion:1.1

Trust: 1.0

vendor:rockwellautomationmodel:isagrafscope:lteversion:6.6.9

Trust: 1.0

vendor:rockwellautomationmodel:connected components workbenchscope:lteversion:12.0

Trust: 1.0

vendor:rockwell automationmodel:connected components workbenchscope: - version: -

Trust: 0.8

vendor:rockwell automationmodel:isagraf workbenchscope: - version: -

Trust: 0.8

vendor:rockwell automationmodel:safety instrumented systems workstationscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-001497 // NVD: CVE-2022-1018

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-1018
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-1018
value: MEDIUM

Trust: 1.0

OTHER: JVNDB-2022-001497
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202203-2478
value: MEDIUM

Trust: 0.6

VULHUB: VHN-417838
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-1018
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-417838
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-1018
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 2.0

OTHER: JVNDB-2022-001497
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-417838 // JVNDB: JVNDB-2022-001497 // CNNVD: CNNVD-202203-2478 // NVD: CVE-2022-1018 // NVD: CVE-2022-1018

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.1

problemtype:XML Improper restriction of external entity references (CWE-611) [ others ]

Trust: 0.8

sources: VULHUB: VHN-417838 // JVNDB: JVNDB-2022-001497 // NVD: CVE-2022-1018

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-2478

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202203-2478

PATCH

title:VERSIONS Rockwell Automationurl:https://compatibility.rockwellautomation.com/Pages/MultiProductFindDownloads.aspx?crumb=112&mode=3&refSoft=1&versions=59954

Trust: 0.8

title:Rockwell Automation ISaGRAF Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=187203

Trust: 0.6

sources: JVNDB: JVNDB-2022-001497 // CNNVD: CNNVD-202203-2478

EXTERNAL IDS

db:ICS CERTid:ICSA-22-088-01

Trust: 2.5

db:NVDid:CVE-2022-1018

Trust: 2.5

db:JVNid:JVNVU95792273

Trust: 0.8

db:JVNDBid:JVNDB-2022-001497

Trust: 0.8

db:CNNVDid:CNNVD-202203-2478

Trust: 0.7

db:AUSCERTid:ESB-2022.1331

Trust: 0.6

db:CS-HELPid:SB2022033008

Trust: 0.6

db:VULHUBid:VHN-417838

Trust: 0.1

sources: VULHUB: VHN-417838 // JVNDB: JVNDB-2022-001497 // CNNVD: CNNVD-202203-2478 // NVD: CVE-2022-1018

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-088-01

Trust: 2.5

url:https://jvn.jp/vu/jvnvu95792273/

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2022.1331

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-088-01

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022033008

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-1018/

Trust: 0.6

sources: VULHUB: VHN-417838 // JVNDB: JVNDB-2022-001497 // CNNVD: CNNVD-202203-2478 // NVD: CVE-2022-1018

CREDITS

kimiya of Trend Micro’s Zero Day Initiative reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202203-2478

SOURCES

db:VULHUBid:VHN-417838
db:JVNDBid:JVNDB-2022-001497
db:CNNVDid:CNNVD-202203-2478
db:NVDid:CVE-2022-1018

LAST UPDATE DATE

2024-11-23T23:03:54.406000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-417838date:2022-04-12T00:00:00
db:JVNDBid:JVNDB-2022-001497date:2022-07-26T08:30:00
db:CNNVDid:CNNVD-202203-2478date:2022-04-13T00:00:00
db:NVDid:CVE-2022-1018date:2024-11-21T06:39:52.100

SOURCES RELEASE DATE

db:VULHUBid:VHN-417838date:2022-04-01T00:00:00
db:JVNDBid:JVNDB-2022-001497date:2022-03-31T00:00:00
db:CNNVDid:CNNVD-202203-2478date:2022-03-29T00:00:00
db:NVDid:CVE-2022-1018date:2022-04-01T23:15:12.177