OpenCVE

A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining unauthorized access to any Power BI reports installed by the customer. Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker. Affected versions * Lumada APM on-premises version 6.0.0.0 - 6.4.0.* List of CPEs: * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hitachienergy	Lumada Asset Performance Management

Configuration 1 [-]

cpe:2.3:a:hitachienergy:lumada_asset_performance_management:*:*:*:*:on-premises:*:*:*

No data.

References

Link	Providers
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch

History

No history.

MITRE

Status: PUBLISHED

Assigner: Hitachi Energy

Published: 2023-01-12T14:01:51.857Z

Updated: 2024-08-03T00:32:07.969Z

Reserved: 2022-06-21T16:47:22.017Z

Link: CVE-2022-2155

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-12T15:15:09.797

Modified: 2024-11-21T07:00:26.363

Link: CVE-2022-2155

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-2155", "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17", "state": "PUBLISHED", "assignerShortName": "Hitachi Energy", "dateReserved": "2022-06-21T16:47:22.017Z", "datePublished": "2023-01-12T14:01:51.857Z", "dateUpdated": "2024-08-03T00:32:07.969Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Lumada APM", "vendor": "Hitachi Energy", "versions": [{"status": "affected", "version": "6.0.0.*"}, {"status": "affected", "version": "6.1.0.*"}, {"status": "affected", "version": "6.2.0.*"}, {"status": "affected", "version": "6.3.0.*"}, {"status": "affected", "version": "6.4.0.0"}, {"status": "unaffected", "version": "6.4.0.1"}, {"status": "unaffected", "version": "6.5.0.0"}]}], "datePublic": "2022-12-23T13:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer. \n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.<br><br>\n\nAffected versions <br><ul><li><span style=\"background-color: var(--wht);\">Lumada APM on-premises version 6.0.0.0 - 6.4.0.*</span><br></li></ul>List of CPEs: <br><ul><li>cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*</li></ul>"}], "value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n * Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122 Privilege Abuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e383dce4-0c27-4495-91c4-0db157728d17", "shortName": "Hitachi Energy", "dateUpdated": "2023-01-12T14:01:51.857Z"}, "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<ul><li>For Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).<br></li><li>For Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer. <br></li></ul>"}], "value": " * For Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\n\n * For Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u00a0\n\n\n\n"}], "source": {"discovery": "INTERNAL"}, "title": "A vulnerability exists in the Lumada APM\u2019s User Asset Group feature due to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role. ", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM. <br><ul><li>In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.</li><li>If Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.<br></li></ul>Apply general mitigation factors as described in the respective advisory. "}], "value": "\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.\u00a0\n * In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\n * If Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.\n\n\n\nApply general mitigation factors as described in the respective advisory.\u00a0"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:07.969Z"}, "title": "CVE Program Container", "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hitachienergy:lumada_asset_performance_management:*:*:*:*:on-premises:*:*:*", "matchCriteriaId": "C7CCDA82-BE91-49C2-93DD-B21F2653BDDB", "versionEndExcluding": "6.4.0.1", "versionStartIncluding": "6.0.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n * Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"}, {"lang": "es", "value": "Existe una vulnerabilidad en las versiones afectadas de la funci\u00f3n User Asset Group de Lumada APM debido a un fallo en la implementaci\u00f3n del mecanismo de control de acceso en el \u201cLimited Engineer\u201d rol, otorg\u00e1ndole acceso a la caracter\u00edstica de informes integrados de Power BI. Un atacante que logre explotar la vulnerabilidad en Lumada APM de un cliente podr\u00eda acceder a informaci\u00f3n no autorizada obteniendo acceso no autorizado a cualquier informe de Power BI instalado por el cliente. Adem\u00e1s, la vulnerabilidad permite a un atacante manipular comentarios sobre problemas de activos, que no deber\u00edan estar disponibles para el atacante. Versiones afectadas: \n* Lumada APM versi\u00f3n local 6.0.0.0 - 6.4.0.* Lista de CPE: * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:* :*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:* :*:*:*:*:*:*"}], "id": "CVE-2022-2155", "lastModified": "2024-11-21T07:00:26.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-12T15:15:09.797", "references": [{"source": "cybersecurity@hitachienergy.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@hitachienergy.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}