{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-2155", "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17", "state": "PUBLISHED", "assignerShortName": "Hitachi Energy", "dateReserved": "2022-06-21T16:47:22.017Z", "datePublished": "2023-01-12T14:01:51.857Z", "dateUpdated": "2025-04-07T15:06:41.003Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Lumada APM", "vendor": "Hitachi Energy", "versions": [{"status": "affected", "version": "6.0.0.*"}, {"status": "affected", "version": "6.1.0.*"}, {"status": "affected", "version": "6.2.0.*"}, {"status": "affected", "version": "6.3.0.*"}, {"status": "affected", "version": "6.4.0.0"}, {"status": "unaffected", "version": "6.4.0.1"}, {"status": "unaffected", "version": "6.5.0.0"}]}], "datePublic": "2022-12-23T13:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.&nbsp;\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.<br><br>\n\nAffected versions <br><ul><li><span style=\"background-color: var(--wht);\">Lumada APM on-premises version 6.0.0.0 - 6.4.0.*</span><br></li></ul>List of CPEs:&nbsp;<br><ul><li>cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*</li></ul>"}], "value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n  *  Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122 Privilege Abuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e383dce4-0c27-4495-91c4-0db157728d17", "shortName": "Hitachi Energy", "dateUpdated": "2023-01-12T14:01:51.857Z"}, "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<ul><li>For Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).<br></li><li>For Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.&nbsp;<br></li></ul>"}], "value": "  *  For Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\n\n  *  For Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u00a0\n\n\n\n"}], "source": {"discovery": "INTERNAL"}, "title": "A vulnerability exists in the Lumada APM\u2019s User Asset Group feature due to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role. ", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.&nbsp;<br><ul><li>In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.</li><li>If Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.<br></li></ul>Apply general mitigation factors as described in the respective advisory.&nbsp;"}], "value": "\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.\u00a0\n  *  In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\n  *  If Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.\n\n\n\nApply general mitigation factors as described in the respective advisory.\u00a0"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:07.969Z"}, "title": "CVE Program Container", "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-07T15:06:22.175649Z", "id": "CVE-2022-2155", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T15:06:41.003Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:07.969Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-2155", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-07T15:06:22.175649Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T15:06:29.231Z"}}], "cna": {"title": "A vulnerability exists in the Lumada APM\u2019s User Asset Group feature due to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role. ", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122 Privilege Abuse"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hitachi Energy", "product": "Lumada APM", "versions": [{"status": "affected", "version": "6.0.0.*"}, {"status": "affected", "version": "6.1.0.*"}, {"status": "affected", "version": "6.2.0.*"}, {"status": "affected", "version": "6.3.0.*"}, {"status": "affected", "version": "6.4.0.0"}, {"status": "unaffected", "version": "6.4.0.1"}, {"status": "unaffected", "version": "6.5.0.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "  *  For Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\n\n  *  For Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.\u00a0\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<ul><li>For Lumada APM version 6.4.0.* \u2013 Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).<br></li><li>For Lumada APM versions prior to 6.4.0.0 \u2013 Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer.&nbsp;<br></li></ul>", "base64": false}]}], "datePublic": "2022-12-23T13:30:00.000Z", "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch"}], "workarounds": [{"lang": "en", "value": "\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.\u00a0\n  *  In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.\n  *  If Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.\n\n\n\nApply general mitigation factors as described in the respective advisory.\u00a0", "supportingMedia": [{"type": "text/html", "value": "\n\nOut-of-the-box, Lumada APM \u2013 On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM.&nbsp;<br><ul><li>In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with \u201cLimited Engineer\u201d role, or to remove any users with \u201cLimited Engineer\u201d role or to assign those users to other role prior to using the unsupported Power BI integration feature.</li><li>If Power BI integration is disabled, it is safe to continue to assign the \u201cLimited Engineer\u201d role to users.<br></li></ul>Apply general mitigation factors as described in the respective advisory.&nbsp;", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n  *  Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.&nbsp;\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.<br><br>\n\nAffected versions <br><ul><li><span style=\"background-color: var(--wht);\">Lumada APM on-premises version 6.0.0.0 - 6.4.0.*</span><br></li></ul>List of CPEs:&nbsp;<br><ul><li>cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*</li><li>cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*</li></ul>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "e383dce4-0c27-4495-91c4-0db157728d17", "shortName": "Hitachi Energy", "dateUpdated": "2023-01-12T14:01:51.857Z"}}}, "cveMetadata": {"cveId": "CVE-2022-2155", "state": "PUBLISHED", "dateUpdated": "2025-04-07T15:06:41.003Z", "dateReserved": "2022-06-21T16:47:22.017Z", "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17", "datePublished": "2023-01-12T14:01:51.857Z", "assignerShortName": "Hitachi Energy"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hitachienergy:lumada_asset_performance_management:*:*:*:*:on-premises:*:*:*", "matchCriteriaId": "C7CCDA82-BE91-49C2-93DD-B21F2653BDDB", "versionEndExcluding": "6.4.0.1", "versionStartIncluding": "6.0.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n  *  Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n  *  cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"}, {"lang": "es", "value": "Existe una vulnerabilidad en las versiones afectadas de la funci\u00f3n User Asset Group de Lumada APM debido a un fallo en la implementaci\u00f3n del mecanismo de control de acceso en el \u201cLimited Engineer\u201d rol, otorg\u00e1ndole acceso a la caracter\u00edstica de informes integrados de Power BI. Un atacante que logre explotar la vulnerabilidad en Lumada APM de un cliente podr\u00eda acceder a informaci\u00f3n no autorizada obteniendo acceso no autorizado a cualquier informe de Power BI instalado por el cliente. Adem\u00e1s, la vulnerabilidad permite a un atacante manipular comentarios sobre problemas de activos, que no deber\u00edan estar disponibles para el atacante. Versiones afectadas: \n* Lumada APM versi\u00f3n local 6.0.0.0 - 6.4.0.* Lista de CPE: * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:* :*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:* :*:*:*:*:*:*"}], "id": "CVE-2022-2155", "lastModified": "2024-11-21T07:00:26.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-12T15:15:09.797", "references": [{"source": "cybersecurity@hitachienergy.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@hitachienergy.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}