CVE-2022-1264 - OpenCVE

The affected product may allow an attacker with access to the Ignition web configuration to run arbitrary code.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Inductiveautomation	Ignition

Configuration 1 [-]

cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-102-03

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-07-20T15:34:59.675108Z

Updated: 2024-09-17T00:15:44.178Z

Reserved: 2022-04-06T00:00:00

Link: CVE-2022-1264

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-20T16:15:08.763

Modified: 2022-07-27T21:48:47.797

Link: CVE-2022-1264

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Ignition", "vendor": "Inductive Automation", "versions": [{"status": "affected", "version": "All 8.1 versions 8.1.10"}, {"lessThan": "All 8.0 versions*", "status": "affected", "version": "8.0.4", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Mashav Sapir of Claroty reported this vulnerability to CISA"}], "datePublic": "2022-04-12T00:00:00", "descriptions": [{"lang": "en", "value": "The affected product may allow an attacker with access to the Ignition web configuration to run arbitrary code."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-20T15:34:59", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-102-03"}], "solutions": [{"lang": "en", "value": "Inductive Automation recommends users upgrade the Ignition software to 8.1.10 or later."}], "source": {"advisory": "ICSA-22-102-03", "discovery": "UNKNOWN"}, "title": "Inductive Automation Ignition", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-04-12T17:00:00.000Z", "ID": "CVE-2022-1264", "STATE": "PUBLIC", "TITLE": "Inductive Automation Ignition"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ignition", "version": {"version_data": [{"version_affected": ">", "version_name": "All 8.0 versions", "version_value": "8.0.4"}, {"version_name": "All 8.1 versions", "version_value": "8.1.10"}]}}]}, "vendor_name": "Inductive Automation"}]}}, "credit": [{"lang": "eng", "value": "Mashav Sapir of Claroty reported this vulnerability to CISA"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The affected product may allow an attacker with access to the Ignition web configuration to run arbitrary code."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-102-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-102-03"}]}, "solution": [{"lang": "en", "value": "Inductive Automation recommends users upgrade the Ignition software to 8.1.10 or later."}], "source": {"advisory": "ICSA-22-102-03", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:55:24.550Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-102-03"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1264", "datePublished": "2022-07-20T15:34:59.675108Z", "dateReserved": "2022-04-06T00:00:00", "dateUpdated": "2024-09-17T00:15:44.178Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}