Details of VAR-202211-1447

ID

VAR-202211-1447

CVE

CVE-2022-2952

TITLE

General Electric Company of CIMPLICITY Vulnerability in accessing uninitialized pointers in

Trust: 0.8

sources: JVNDB: JVNDB-2022-022588

DESCRIPTION

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary code. General Electric Company of CIMPLICITY Exists in an uninitialized pointer access vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. GE CIMPLICITY HMI/SCADA Software is an automated industrial platform of General Electric (GE) in the United States. Provides true client-server visualization and control from a single machine to plant locations around the world, helping to manage operations and improve decision making. There are security vulnerabilities in GE CIMPLICITY HMI/SCADA Software 2022 and earlier versions, which may be exploited by attackers to affect the confidentiality, availability, or integrity of the system. There are currently no vulnerability details. GE CIMPLICITY

Trust: 2.25

sources: NVD: CVE-2022-2952 // JVNDB: JVNDB-2022-022588 // CNVD: CNVD-2022-85524 // VULMON: CVE-2022-2952

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-85524

AFFECTED PRODUCTS

vendor:	ge	model:	cimplicity	scope:	lte	version:	2022	Trust: 1.0
vendor:	general electric	model:	cimplicity	scope:	lte	version:	2022 and earlier	Trust: 0.8
vendor:	general electric	model:	cimplicity	scope:	eq	version:	-	Trust: 0.8
vendor:	general electric	model:	cimplicity	scope:	-	version:	-	Trust: 0.8
vendor:	ge	model:	cimplicity hmi/scada software	scope:	lte	version:	<=2022	Trust: 0.6

sources: CNVD: CNVD-2022-85524 // JVNDB: JVNDB-2022-022588 // NVD: CVE-2022-2952

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-2952
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-2952
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-2952
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-85524
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202211-3423
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2022-85524
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-2952
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2022-2952
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-85524 // JVNDB: JVNDB-2022-022588 // CNNVD: CNNVD-202211-3423 // NVD: CVE-2022-2952 // NVD: CVE-2022-2952

PROBLEMTYPE DATA

problemtype:	CWE-824	Trust: 1.0
problemtype:	Accessing uninitialized pointers (CWE-824) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-022588 // NVD: CVE-2022-2952

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202211-3423

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202211-3423

PATCH

title:	Patch for GE CIMPLICITY HMI/SCADA Software has an unknown vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/364081	Trust: 0.6
title:	GE CIMPLICITY HMI/SCADA Software Buffer error vulnerability fix	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=216703	Trust: 0.6

sources: CNVD: CNVD-2022-85524 // CNNVD: CNNVD-202211-3423

EXTERNAL IDS

db:	NVD	id:	CVE-2022-2952	Trust: 3.9
db:	ICS CERT	id:	ICSA-22-326-04	Trust: 2.5
db:	AUSCERT	id:	ESB-2022.6117	Trust: 1.2
db:	JVN	id:	JVNVU95378145	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-022588	Trust: 0.8
db:	CNVD	id:	CNVD-2022-85524	Trust: 0.6
db:	CNNVD	id:	CNNVD-202211-3423	Trust: 0.6
db:	VULMON	id:	CVE-2022-2952	Trust: 0.1

sources: CNVD: CNVD-2022-85524 // VULMON: CVE-2022-2952 // JVNDB: JVNDB-2022-022588 // CNNVD: CNNVD-202211-3423 // NVD: CVE-2022-2952

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-326-04	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-2952	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2022.6117	Trust: 1.2
url:	https://jvn.jp/vu/jvnvu95378145/index.html	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-2952/	Trust: 0.6

sources: CNVD: CNVD-2022-85524 // VULMON: CVE-2022-2952 // JVNDB: JVNDB-2022-022588 // CNNVD: CNNVD-202211-3423 // NVD: CVE-2022-2952

SOURCES

db:	CNVD	id:	CNVD-2022-85524
db:	VULMON	id:	CVE-2022-2952
db:	JVNDB	id:	JVNDB-2022-022588
db:	CNNVD	id:	CNNVD-202211-3423
db:	NVD	id:	CVE-2022-2952

LAST UPDATE DATE

2024-08-14T13:42:39.144000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-85524	date:	2022-12-07T00:00:00
db:	JVNDB	id:	JVNDB-2022-022588	date:	2023-11-17T08:22:00
db:	CNNVD	id:	CNNVD-202211-3423	date:	2022-12-12T00:00:00
db:	NVD	id:	CVE-2022-2952	date:	2023-11-07T03:47:08.217

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-85524	date:	2022-11-23T00:00:00
db:	JVNDB	id:	JVNDB-2022-022588	date:	2023-11-17T00:00:00
db:	CNNVD	id:	CNNVD-202211-3423	date:	2022-11-23T00:00:00
db:	NVD	id:	CVE-2022-2952	date:	2022-12-07T23:15:10.003