CVE-2022-22523 - OpenCVE

An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gavazziautomation	Cpy Car Park Server Uwp 3.0 Monitoring Gateway And Controller Uwp 3.0 Monitoring Gateway And Controller Firmware

Configuration 1 [-]

cpe:2.3:a:gavazziautomation:cpy_car_park_server:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:edp:*:*:*:*:*

cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:edp:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:security_enhanced:*:*:*:*:*

cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:security_enhanced:*:*:*:*:*

No data.

References

Link	Providers
https://cert.vde.com/en/advisories/VDE-2022-029/

History

No history.

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2022-09-28T13:45:29

Updated: 2024-08-03T03:14:55.446Z

Reserved: 2022-01-03T00:00:00

Link: CVE-2022-22523

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-28T14:15:10.040

Modified: 2022-09-30T13:13:14.020

Link: CVE-2022-22523

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "UWP 3.0 Monitoring Gateway and Controller", "vendor": "Carlo Gavazzi", "versions": [{"lessThan": "8.5.0.3", "status": "affected", "version": "8", "versionType": "custom"}]}, {"product": "UWP 3.0 Monitoring Gateway and Controller \u2013 Security Enhanced", "vendor": "Carlo Gavazzi", "versions": [{"lessThan": "8.5.0.3", "status": "affected", "version": "8", "versionType": "custom"}]}, {"product": "UWP 3.0 Monitoring Gateway and Controller \u2013 EDP version", "vendor": "Carlo Gavazzi", "versions": [{"lessThan": "8.5.0.3", "status": "affected", "version": "8", "versionType": "custom"}]}, {"product": "CPY Car Park Server", "vendor": "Carlo Gavazzi", "versions": [{"lessThan": "2.8.3", "status": "affected", "version": "2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Vera Mens from Claroty Research"}], "descriptions": [{"lang": "en", "value": "An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-28T13:45:29", "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cert.vde.com/en/advisories/VDE-2022-029/"}], "source": {"advisory": "VDE-2022-029", "discovery": "EXTERNAL"}, "title": "Carlo Gavazzi UWP 3.0 WebApp allows for authentication bypass", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "info@cert.vde.com", "ID": "CVE-2022-22523", "STATE": "PUBLIC", "TITLE": "Carlo Gavazzi UWP 3.0 WebApp allows for authentication bypass"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "UWP 3.0 Monitoring Gateway and Controller", "version": {"version_data": [{"version_affected": "<", "version_name": "8", "version_value": "8.5.0.3"}]}}, {"product_name": "UWP 3.0 Monitoring Gateway and Controller \u2013 Security Enhanced", "version": {"version_data": [{"version_affected": "<", "version_name": "8", "version_value": "8.5.0.3"}]}}, {"product_name": "UWP 3.0 Monitoring Gateway and Controller \u2013 EDP version", "version": {"version_data": [{"version_affected": "<", "version_name": "8", "version_value": "8.5.0.3"}]}}, {"product_name": "CPY Car Park Server", "version": {"version_data": [{"version_affected": "<", "version_name": "2", "version_value": "2.8.3"}]}}]}, "vendor_name": "Carlo Gavazzi"}]}}, "credit": [{"lang": "eng", "value": "Vera Mens from Claroty Research"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287 Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://cert.vde.com/en/advisories/VDE-2022-029/", "refsource": "CONFIRM", "url": "https://cert.vde.com/en/advisories/VDE-2022-029/"}]}, "source": {"advisory": "VDE-2022-029", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:14:55.446Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert.vde.com/en/advisories/VDE-2022-029/"}]}]}, "cveMetadata": {"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "assignerShortName": "CERTVDE", "cveId": "CVE-2022-22523", "datePublished": "2022-09-28T13:45:29", "dateReserved": "2022-01-03T00:00:00", "dateUpdated": "2024-08-03T03:14:55.446Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gavazziautomation:cpy_car_park_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E670508-7A94-4A01-9C2B-51E82D5A861F", "versionEndExcluding": "2.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "14B2D9AB-2D19-4AD6-A049-CDB6814CC8D0", "versionEndExcluding": "8.5.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:*:*:*:*:*:*", "matchCriteriaId": "90DBF492-5F3A-4F53-ACFC-59F89470D632", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:edp:*:*:*:*:*", "matchCriteriaId": "5BFC1445-995C-44F7-BE85-E0C1D462573E", "versionEndExcluding": "8.5.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:edp:*:*:*:*:*", "matchCriteriaId": "C7900CB8-560F-4DD7-82B9-8226A8F5F5CC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:security_enhanced:*:*:*:*:*", "matchCriteriaId": "F6584CB1-FA0B-468D-AA58-F2D2F33763AA", "versionEndExcluding": "8.5.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:security_enhanced:*:*:*:*:*", "matchCriteriaId": "B29F6465-3533-4B50-B436-4DC4E6F1B361", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de autenticaci\u00f3n inapropiada en Carlo Gavazzi UWP versi\u00f3n 3.0 en m\u00faltiples versiones y en CPY Car Park Server en versi\u00f3n 2.8.3 Web-App, que permite una omisi\u00f3n de autenticaci\u00f3n al contexto de un usuario no autorizado si el acceso libre est\u00e1 deshabilitado"}], "id": "CVE-2022-22523", "lastModified": "2022-09-30T13:13:14.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "info@cert.vde.com", "type": "Secondary"}]}, "published": "2022-09-28T14:15:10.040", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2022-029/"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "info@cert.vde.com", "type": "Primary"}]}