CVE-2022-1521 - OpenCVE

LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Illumina	Iseq 100 Local Run Manager Miniseq Miseq Miseq Dx Nextseq 500 Nextseq 550 Nextseq 550dx

Configuration 1 [-]

AND

cpe:2.3:a:illumina:local_run_manager:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:illumina:iseq_100:-:::::::*
	cpe:2.3:h:illumina:miniseq:-:::::::*
	cpe:2.3:h:illumina:miseq:-:::::::*
	cpe:2.3:h:illumina:miseq_dx:-:::::::*
	cpe:2.3:h:illumina:nextseq_500:-:::::::*
	cpe:2.3:h:illumina:nextseq_550:-:::::::*
	cpe:2.3:h:illumina:nextseq_550dx:-:::::::*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-06-24T15:00:15.565978Z

Updated: 2024-09-16T18:49:44.786Z

Reserved: 2022-04-28T00:00:00

Link: CVE-2022-1521

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-06-24T15:15:09.390

Modified: 2023-11-07T03:41:58.820

Link: CVE-2022-1521

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "NextSeq 550Dx", "vendor": "Illumina", "versions": [{"status": "affected", "version": "LRM Versions 1.3 to 3.1"}]}, {"product": "MiSeq Dx", "vendor": "Illumina", "versions": [{"status": "affected", "version": "LRM Versions 1.3 to 3.1"}]}, {"product": "NextSeq 500 Instrumen", "vendor": "Illumina", "versions": [{"status": "affected", "version": "LRM Versions 1.3 to 3.1"}]}, {"product": "NextSeq 550 Instrument", "vendor": "Illumina", "versions": [{"status": "affected", "version": "LRM Versions 1.3 to 3.1"}]}, {"product": "MiSeq Instrument", "vendor": "Illumina", "versions": [{"status": "affected", "version": "LRM Versions 1.3 to 3.1"}]}, {"product": "iSeq 100 Instrument", "vendor": "Illumina", "versions": [{"status": "affected", "version": "LRM Versions 1.3 to 3.1"}]}, {"product": "MiniSeq Instrument", "vendor": "Illumina", "versions": [{"status": "affected", "version": "LRM Versions 1.3 to 3.1"}]}], "datePublic": "2022-06-02T00:00:00", "descriptions": [{"lang": "en", "value": "LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "cwe-284", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-24T15:00:15", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02"}], "source": {"discovery": "UNKNOWN"}, "title": "3.2.4 IMPROPER ACCESS CONTROL CWE-284", "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "20220602T06:00:00.000000Z", "ID": "CVE-2022-1521", "STATE": "PUBLIC", "TITLE": "3.2.4 IMPROPER ACCESS CONTROL CWE-284"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "NextSeq 550Dx", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "", "version_value": "LRM Versions 1.3 to 3.1"}]}}]}, "vendor_name": "Illumina"}, {"product": {"product_data": [{"product_name": "MiSeq Dx", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "", "version_value": "LRM Versions 1.3 to 3.1"}]}}]}, "vendor_name": "Illumina"}, {"product": {"product_data": [{"product_name": "NextSeq 500 Instrumen", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "", "version_value": "LRM Versions 1.3 to 3.1"}]}}]}, "vendor_name": "Illumina"}, {"product": {"product_data": [{"product_name": "NextSeq 550 Instrument", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "", "version_value": "LRM Versions 1.3 to 3.1"}]}}]}, "vendor_name": "Illumina"}, {"product": {"product_data": [{"product_name": "MiSeq Instrument", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "", "version_value": "LRM Versions 1.3 to 3.1"}]}}]}, "vendor_name": "Illumina"}, {"product": {"product_data": [{"product_name": "iSeq 100 Instrument", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "", "version_value": "LRM Versions 1.3 to 3.1"}]}}]}, "vendor_name": "Illumina"}, {"product": {"product_data": [{"product_name": "MiniSeq Instrument", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "", "version_value": "LRM Versions 1.3 to 3.1"}]}}]}, "vendor_name": "Illumina"}]}}, "credit": [], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "cwe-284"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02"}]}, "solution": [], "source": {"advisory": "", "defect": [], "discovery": "UNKNOWN"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:03.014Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1521", "datePublished": "2022-06-24T15:00:15.565978Z", "dateReserved": "2022-04-28T00:00:00", "dateUpdated": "2024-09-16T18:49:44.786Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:illumina:local_run_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6A76287-2C7D-4EDD-B551-3E162819A08B", "versionEndIncluding": "3.1", "versionStartIncluding": "1.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:illumina:iseq_100:-:*:*:*:*:*:*:*", "matchCriteriaId": "0136ED72-BF05-404D-910A-DA5B73F69771", "vulnerable": false}, {"criteria": "cpe:2.3:h:illumina:miniseq:-:*:*:*:*:*:*:*", "matchCriteriaId": "2DA69772-E795-4A64-A6A1-0BDD503D263B", "vulnerable": false}, {"criteria": "cpe:2.3:h:illumina:miseq:-:*:*:*:*:*:*:*", "matchCriteriaId": "8AFB0D5A-AF5A-4A84-963F-C6307ADCFF4E", "vulnerable": false}, {"criteria": "cpe:2.3:h:illumina:miseq_dx:-:*:*:*:*:*:*:*", "matchCriteriaId": "D7731600-AE91-4D74-A219-BAE147B29A7F", "vulnerable": false}, {"criteria": "cpe:2.3:h:illumina:nextseq_500:-:*:*:*:*:*:*:*", "matchCriteriaId": "1C7AEA5A-707D-4BF4-9DF6-BDE6E6D97B60", "vulnerable": false}, {"criteria": "cpe:2.3:h:illumina:nextseq_550:-:*:*:*:*:*:*:*", "matchCriteriaId": "BF742B4D-0FC5-443A-8040-7B0A1B298707", "vulnerable": false}, {"criteria": "cpe:2.3:h:illumina:nextseq_550dx:-:*:*:*:*:*:*:*", "matchCriteriaId": "B3D5AB9D-7EAA-45F2-A10F-A2D142B20D3D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data."}, {"lang": "es", "value": "LRM no implementa la autenticaci\u00f3n ni la autorizaci\u00f3n por defecto. Un actor malicioso puede inyectar, reproducir, modificar y/o interceptar datos confidenciales"}], "id": "CVE-2022-1521", "lastModified": "2023-11-07T03:41:58.820", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-06-24T15:15:09.390", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}