Sign-up

ID

VAR-202208-2220


CVE

CVE-2022-37122


TITLE

plural  CAREL INDUSTRIES S.p.a.  Past traversal vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2022-016301

DESCRIPTION

Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. CAREL INDUSTRIES S.p.a. of pCOWeb card firmware, applica , pcoweb hvac bacnet gateway Exists in a past traversal vulnerability.Information may be obtained. pCO sistema is the solution CAREL offers its customers for managing HVAC/Rapplications and systems. It consists of programmable controllers, user interfaces,gateways and communication interfaces, remote management systems to offer the OEMsworking in HVAC/R a control system that is powerful yet flexible, can be easily interfacedto the more widely-used Building Management Systems, and can also be integrated intoproprietary supervisory systems.The device suffers from an unauthenticated arbitrary file disclosure vulnerability.Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash scriptis not properly verified before being used to download log files

Trust: 1.89

sources: NVD: CVE-2022-37122 // JVNDB: JVNDB-2022-016301 // ZSL: ZSL-2022-5709 // VULHUB: VHN-433016 // VULMON: CVE-2022-37122

AFFECTED PRODUCTS

vendor:carelmodel:applicascope:eqversion:2.154a

Trust: 1.0

vendor:carelmodel:pcoweb cardscope:gteversion:a2.1.0

Trust: 1.0

vendor:carelmodel:pcoweb hvac bacnet gatewayscope:eqversion:2.1.0

Trust: 1.0

vendor:carelmodel:applicascope:eqversion:16_13020200

Trust: 1.0

vendor:carelmodel:pcoweb cardscope:lteversion:b.2.1.0

Trust: 1.0

vendor:carel industries s p amodel:applicascope: - version: -

Trust: 0.8

vendor:carel industries s p amodel:pcoweb cardscope: - version: -

Trust: 0.8

vendor:carel industries s p amodel:pcoweb hvac bacnet gatewayscope: - version: -

Trust: 0.8

vendor:carel industries s p amodel:pcoweb hvac bacnet gatewayscope:eqversion:firmware: a2.1.0 - b2.1.0

Trust: 0.1

vendor:carel industries s p amodel:pcoweb hvac bacnet gatewayscope:eqversion:application software: 2.15.4a

Trust: 0.1

vendor:carel industries s p amodel:pcoweb hvac bacnet gatewayscope:eqversion:software version: v16 13020200

Trust: 0.1

sources: ZSL: ZSL-2022-5709 // JVNDB: JVNDB-2022-016301 // NVD: CVE-2022-37122

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-37122
value: HIGH

Trust: 1.0

NVD: CVE-2022-37122
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202208-4478
value: HIGH

Trust: 0.6

ZSL: ZSL-2022-5709
value: (4/5)

Trust: 0.1

nvd@nist.gov: CVE-2022-37122
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-37122
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZSL: ZSL-2022-5709 // JVNDB: JVNDB-2022-016301 // CNNVD: CNNVD-202208-4478 // NVD: CVE-2022-37122

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.1

problemtype:Path traversal (CWE-22) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-433016 // JVNDB: JVNDB-2022-016301 // NVD: CVE-2022-37122

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202208-4478

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202208-4478

EXPLOIT AVAILABILITY

sources:
            
            
            ZSL: ZSL-2022-5709

EXTERNAL IDS
db:NVDid:CVE-2022-37122
Trust: 3.5
db:PACKETSTORMid:167684
Trust: 2.7
db:ZSLid:ZSL-2022-5709
Trust: 2.7
db:JVNDBid:JVNDB-2022-016301
Trust: 0.8
db:CNNVDid:CNNVD-202208-4478
Trust: 0.6
db:EXPLOIT-DBid:50986
Trust: 0.1
db:CXSECURITYid:WLB-2022070011
Trust: 0.1
db:VULHUBid:VHN-433016
Trust: 0.1
db:VULMONid:CVE-2022-37122
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2022-5709 // 
            
            
            
            VULHUB: VHN-433016 // 
            
            
            
            VULMON: CVE-2022-37122 // 
            
            
            
            JVNDB: JVNDB-2022-016301 // 
            
            
            
            CNNVD: CNNVD-202208-4478 // 
            
            
            
            NVD: CVE-2022-37122

REFERENCES
url:https://packetstormsecurity.com/files/167684/
Trust: 2.7
url:https://www.zeroscience.mk/codes/carelpco_dir.txt
Trust: 2.6
url:https://www.zeroscience.mk/en/vulnerabilities/zsl-2022-5709.php
Trust: 2.6
url:https://nvd.nist.gov/vuln/detail/cve-2022-37122
Trust: 0.9
url:https://cxsecurity.com/cveshow/cve-2022-37122/
Trust: 0.6
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/230273
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2022070011
Trust: 0.1
url:https://www.exploit-db.com/exploits/50986
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2022-37122
Trust: 0.1
url:https://www.tenable.com/cve/cve-2022-37122
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2022-5709 // 
            
            
            
            VULHUB: VHN-433016 // 
            
            
            
            VULMON: CVE-2022-37122 // 
            
            
            
            JVNDB: JVNDB-2022-016301 // 
            
            
            
            CNNVD: CNNVD-202208-4478 // 
            
            
            
            NVD: CVE-2022-37122

CREDITS
Vulnerability discovered by Gjoko Krstic
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2022-5709

SOURCES
db:ZSLid:ZSL-2022-5709
db:VULHUBid:VHN-433016
db:VULMONid:CVE-2022-37122
db:JVNDBid:JVNDB-2022-016301
db:CNNVDid:CNNVD-202208-4478
db:NVDid:CVE-2022-37122

LAST UPDATE DATE
2024-08-14T14:49:39.141000+00:00

SOURCES UPDATE DATE
db:ZSLid:ZSL-2022-5709date:2022-09-01T00:00:00
db:VULHUBid:VHN-433016date:2022-09-08T00:00:00
db:VULMONid:CVE-2022-37122date:2022-08-31T00:00:00
db:JVNDBid:JVNDB-2022-016301date:2023-10-03T08:08:00
db:CNNVDid:CNNVD-202208-4478date:2022-09-09T00:00:00
db:NVDid:CVE-2022-37122date:2022-09-08T01:35:34.110

SOURCES RELEASE DATE
db:ZSLid:ZSL-2022-5709date:2022-06-30T00:00:00
db:VULHUBid:VHN-433016date:2022-08-31T00:00:00
db:VULMONid:CVE-2022-37122date:2022-08-31T00:00:00
db:JVNDBid:JVNDB-2022-016301date:2023-10-03T00:00:00
db:CNNVDid:CNNVD-202208-4478date:2022-08-31T00:00:00
db:NVDid:CVE-2022-37122date:2022-08-31T16:15:11.747