CVE-2022-23129 - OpenCVE

Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Iconics	Genesis64
Mitsubishielectric	Mc Works64

Configuration 1 [-]

OR	cpe:2.3:a:iconics:genesis64::::::::
	cpe:2.3:a:mitsubishielectric:mc_works64::::::::

No data.

References

Link	Providers
https://jvn.jp/vu/JVNVU95403720/index.html
https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mitsubishi

Published: 2022-01-21T18:17:31

Updated: 2024-08-03T03:36:19.744Z

Reserved: 2022-01-11T00:00:00

Link: CVE-2022-23129

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-21T19:15:10.037

Modified: 2022-01-27T20:09:11.953

Link: CVE-2022-23129

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Mitsubishi Electric MC Works64; ICONICS GENESIS64", "vendor": "n/a", "versions": [{"status": "affected", "version": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior"}, {"status": "affected", "version": "ICONICS GENESIS64 versions 10.90 to 10.97"}]}], "descriptions": [{"lang": "en", "value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information."}], "problemTypes": [{"descriptions": [{"description": "Plaintext Storage of a Password", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-21T18:17:31", "orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/vu/JVNVU95403720/index.html"}, {"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "ID": "CVE-2022-23129", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Mitsubishi Electric MC Works64; ICONICS GENESIS64", "version": {"version_data": [{"version_value": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior"}, {"version_value": "ICONICS GENESIS64 versions 10.90 to 10.97"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Plaintext Storage of a Password"}]}]}, "references": {"reference_data": [{"name": "https://jvn.jp/vu/JVNVU95403720/index.html", "refsource": "MISC", "url": "https://jvn.jp/vu/JVNVU95403720/index.html"}, {"name": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"}, {"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf", "refsource": "MISC", "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:36:19.744Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jvn.jp/vu/JVNVU95403720/index.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "assignerShortName": "Mitsubishi", "cveId": "CVE-2022-23129", "datePublished": "2022-01-21T18:17:31", "dateReserved": "2022-01-11T00:00:00", "dateUpdated": "2024-08-03T03:36:19.744Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*", "matchCriteriaId": "244286B8-A94E-451A-A79F-895B01BCE0FB", "versionEndIncluding": "10.97", "versionStartIncluding": "10.90", "vulnerable": true}, {"criteria": "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*", "matchCriteriaId": "D31E1BFD-8194-4BA1-998B-BC4005454C15", "versionEndExcluding": "10.95.210.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information."}, {"lang": "es", "value": "Una vulnerabilidad de almacenamiento de texto plano de una contrase\u00f1a en Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores y en ICONICS GENESIS64 versiones 10.90 a 10.97, permite a un atacante local autenticado conseguir informaci\u00f3n de autenticaci\u00f3n y acceder a la base de datos de forma ilegal. Esto es debido a que cuando la informaci\u00f3n de configuraci\u00f3n de GridWorX, una funci\u00f3n de enlace de bases de datos de GENESIS64 y MC Works64, es exportada a un archivo CSV, la informaci\u00f3n de autenticaci\u00f3n es guardada en texto plano, y un atacante que pueda acceder a este archivo CSV puede conseguir la informaci\u00f3n de autenticaci\u00f3n"}], "id": "CVE-2022-23129", "lastModified": "2022-01-27T20:09:11.953", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-21T19:15:10.037", "references": [{"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Mitigation", "Third Party Advisory", "VDB Entry"], "url": "https://jvn.jp/vu/JVNVU95403720/index.html"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource", "VDB Entry"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"}], "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}]}