CVE-2022-1607 - OpenCVE

Cross-Site Request Forgery (CSRF) vulnerability in ABB Pulsar Plus System Controller NE843_S, ABB Infinity DC Power Plant allows Cross Site Request Forgery.This issue affects Pulsar Plus System Controller NE843_S : comcode 150042936; Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Abb	Infinity Dc Power Plant Ne843 S

Configuration 1 [-]

OR	cpe:2.3:a:abb:infinity_dc_power_plant::::::::
	cpe:2.3:a:abb:ne843_s::::::::

No data.

References

Link	Providers
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&LanguageCode=en&DocumentPartId=&Action=Launch

History

No history.

MITRE

Status: PUBLISHED

Assigner: ABB

Published: 2023-02-24T04:49:49.418Z

Updated: 2024-08-03T00:10:03.747Z

Reserved: 2022-05-06T13:10:42.773Z

Link: CVE-2022-1607

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-24T05:15:14.510

Modified: 2023-11-07T03:42:02.290

Link: CVE-2022-1607

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-1607", "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "state": "PUBLISHED", "assignerShortName": "ABB", "dateReserved": "2022-05-06T13:10:42.773Z", "datePublished": "2023-02-24T04:49:49.418Z", "dateUpdated": "2024-08-03T00:10:03.747Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Pulsar Plus System Controller NE843_S ", "vendor": "ABB", "versions": [{"status": "affected", "version": "comcode 150042936"}]}, {"defaultStatus": "unaffected", "product": "Infinity DC Power Plant", "vendor": "ABB", "versions": [{"status": "affected", "version": "H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) \u2013 comcode 150047415"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "We acknowledge the help of Vlad Ionescu of Facebook Red Team X for reports on the vulnerabilities."}], "datePublic": "2022-02-11T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ABB Pulsar Plus System Controller NE843_S, ABB Infinity DC Power Plant allows Cross Site Request Forgery.<p>This issue affects Pulsar Plus System Controller NE843_S : comcode 150042936; Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) \u2013 comcode 150047415.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in ABB Pulsar Plus System Controller NE843_S, ABB Infinity DC Power Plant allows Cross Site Request Forgery.This issue affects Pulsar Plus System Controller NE843_S : comcode 150042936; Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) \u2013 comcode 150047415.\n\n"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB", "dateUpdated": "2023-02-24T04:50:46.874Z"}, "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&LanguageCode=en&DocumentPartId=&Action=Launch"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross Site Scripting vulnerability in NE843 Pulsar Plus Controller", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nA workaround is to use the controller\u2019s Read/Write Enable/Disable feature for a network port\n(NET1,WRE=0). The controller can disable all writes over the network port. The factory default is to have\nthe write capability enabled. However, some customers do not want settings to be remotely changed\nonce systems are set. This feature, when set to Disable, will allow no changes to be accepted. Once set it\ncan only be changed locally through the front panel.\nABB has tested the following workarounds. Although these workarounds will not correct the underlying\nvulnerability, they can help block known attack vectors. When a workaround reduces functionality, this is\nidentified below as \u201cImpact of workaround\u201d\n\n<br>"}], "value": "\nA workaround is to use the controller\u2019s Read/Write Enable/Disable feature for a network port\n(NET1,WRE=0). The controller can disable all writes over the network port. The factory default is to have\nthe write capability enabled. However, some customers do not want settings to be remotely changed\nonce systems are set. This feature, when set to Disable, will allow no changes to be accepted. Once set it\ncan only be changed locally through the front panel.\nABB has tested the following workarounds. Although these workarounds will not correct the underlying\nvulnerability, they can help block known attack vectors. When a workaround reduces functionality, this is\nidentified below as \u201cImpact of workaround\u201d\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:03.747Z"}, "title": "CVE Program Container", "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&LanguageCode=en&DocumentPartId=&Action=Launch", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:infinity_dc_power_plant:*:*:*:*:*:*:*:*", "matchCriteriaId": "61279EF7-81F5-4044-9B54-9E263B4A4CBB", "versionEndExcluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:ne843_s:*:*:*:*:*:*:*:*", "matchCriteriaId": "493D2774-FE8A-4709-A2B0-FA0A95DA3AC3", "versionEndExcluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ABB Pulsar Plus System Controller NE843_S, ABB Infinity DC Power Plant allows Cross Site Request Forgery.This issue affects Pulsar Plus System Controller NE843_S : comcode 150042936; Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) \u2013 comcode 150047415.\n\n"}], "id": "CVE-2022-1607", "lastModified": "2023-11-07T03:42:02.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}, "published": "2023-02-24T05:15:14.510", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}