CVE-2022-22512 - OpenCVE

Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Varta	Element Backup Element Backup Firmware Element S1 Element S1 Firmware Element S2 Element S2 Firmware Element S3 Element S3 Firmware Element S4 Element S4 Firmware One L One L Firmware One Xl One Xl Firmware Pulse Pulse Firmware

Configuration 1 [-]

AND

cpe:2.3:o:varta:element_backup_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:varta:element_backup:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:varta:element_s1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:varta:element_s1:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:varta:element_s2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:varta:element_s2:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

OR	cpe:2.3:o:varta:element_s3_firmware::::::::
	cpe:2.3:o:varta:element_s3_firmware::::::::

cpe:2.3:h:varta:element_s3:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:varta:element_s4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:varta:element_s4:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:varta:one_l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:varta:one_l:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:varta:one_xl_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:varta:one_xl:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:varta:pulse_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:varta:pulse:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cert.vde.com/en/advisories/VDE-2022-061/

History

No history.

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2023-03-23T05:32:16.285Z

Updated: 2024-08-03T03:14:55.324Z

Reserved: 2022-01-03T22:35:36.934Z

Link: CVE-2022-22512

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-03-23T06:15:12.367

Modified: 2023-05-23T07:15:09.060

Link: CVE-2022-22512

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-22512", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2022-01-03T22:35:36.934Z", "datePublished": "2023-03-23T05:32:16.285Z", "dateUpdated": "2024-08-03T03:14:55.324Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Element backup", "vendor": "VARTA Storage", "versions": [{"lessThan": "F21000400", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Element S1", "vendor": "VARTA Storage", "versions": [{"lessThan": "2e.3.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Element S2", "vendor": "VARTA Storage", "versions": [{"lessThan": "2e.3.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Element S2", "vendor": "VARTA Storage", "versions": [{"lessThan": "2e.3.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Element S3", "vendor": "VARTA Storage", "versions": [{"lessThan": "2e.3.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Element S3", "vendor": "VARTA Storage", "versions": [{"lessThan": "2e.4.4.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Element S4", "vendor": "VARTA Storage", "versions": [{"lessThan": "D21010400", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "One L/XL", "vendor": "VARTA Storage", "versions": [{"lessThan": "2e.3.8.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Pulse (not pulse neo)", "vendor": "VARTA Storage", "versions": [{"lessThan": "C21010800", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Andreas Dolp"}, {"lang": "en", "type": "coordinator", "user": "00000000-0000-4000-9000-000000000000", "value": "CERT@VDE"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network."}], "value": "Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network."}], "impacts": [{"capecId": "CAPEC-150", "descriptions": [{"lang": "en", "value": "CAPEC-150 Collect Data from Common Resource Locations"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2023-05-23T06:06:45.925Z"}, "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-061/"}], "source": {"advisory": "VDE-2022-061", "defect": ["CERT@VDE#64092"], "discovery": "EXTERNAL"}, "title": "VARTA: Multiple devices prone to hard-coded credentials", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:14:55.324Z"}, "title": "CVE Program Container", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-061/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:varta:element_backup_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B8FFA7A-1C91-4C5B-A1E0-F057A1B83B90", "versionEndExcluding": "f21000400", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:varta:element_backup:-:*:*:*:*:*:*:*", "matchCriteriaId": "18A32228-1E64-4F09-B8EA-F122F7F8EFBA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:varta:element_s1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D85D801-4958-4949-B8C1-8CF486B463E8", "versionEndExcluding": "2e.3.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:varta:element_s1:-:*:*:*:*:*:*:*", "matchCriteriaId": "19031686-7D24-408D-9144-1286C2C288B7", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:varta:element_s2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1AB1110-6B20-46CD-81EE-C893D02FED70", "versionEndExcluding": "2e.3.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:varta:element_s2:-:*:*:*:*:*:*:*", "matchCriteriaId": "E9BCEA27-93B4-4D04-8E2A-4A0CC4EA725E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:varta:element_s3_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E3B1FD3-CFA7-4585-B58F-DE3C67C952B5", "versionEndExcluding": "2e.3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:varta:element_s3_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "290140CE-3093-42D1-8060-A1DF88695CE9", "versionEndExcluding": "2e.4.4.0", "versionStartIncluding": "2e.4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:varta:element_s3:-:*:*:*:*:*:*:*", "matchCriteriaId": "67ACACF9-DBAF-4C23-AD99-2966BC9DE24A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:varta:element_s4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "29167A22-1E33-4DD8-BD6D-9046F6D11394", "versionEndExcluding": "d21010400", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:varta:element_s4:-:*:*:*:*:*:*:*", "matchCriteriaId": "1A2E6700-E663-4F91-8F2C-2D543A5B074D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:varta:one_l_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "99BB655C-9E6E-4373-9B87-1A012DFAFACB", "versionEndExcluding": "2e.3.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:varta:one_l:-:*:*:*:*:*:*:*", "matchCriteriaId": "6FE9CF95-00C5-4913-9BFE-B57F1014FE7C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:varta:one_xl_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "79C4C11C-02D8-4580-A2F6-23A7FD861CB7", "versionEndExcluding": "2e.3.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:varta:one_xl:-:*:*:*:*:*:*:*", "matchCriteriaId": "0CFDDC29-1017-4404-B7F1-2B935A3C44CD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:varta:pulse_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "025EF312-0B07-4553-8AF7-EEDD80A65FC1", "versionEndExcluding": "c21010800", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:varta:pulse:-:*:*:*:*:*:*:*", "matchCriteriaId": "F4E8517B-A421-44E3-850E-DD8D7C9A63FE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network."}], "id": "CVE-2022-22512", "lastModified": "2023-05-23T07:15:09.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2023-03-23T06:15:12.367", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2022-061/"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "info@cert.vde.com", "type": "Primary"}]}