CVE-2022-25164 - OpenCVE

Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Mitsubishi Electric MX OPC UA Module Configurator-R versions 1.08J and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers can gain unauthorized access to the MELSEC CPU module and the MELSEC OPC UA server module.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mitsubishielectric	Gx Works3 Mx Opc Ua Module Configurator-r

Configuration 1 [-]

OR	cpe:2.3:a:mitsubishielectric:gx_works3::::::::
	cpe:2.3:a:mitsubishielectric:gx_works3::::::::
	cpe:2.3:a:mitsubishielectric:gx_works3::::::::
	cpe:2.3:a:mitsubishielectric:mx_opc_ua_module_configurator-r:-:::::::*

No data.

References

Link	Providers
https://jvn.jp/vu/JVNVU97244961/index.html
https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mitsubishi

Published: 2022-11-24T23:21:25.536Z

Updated: 2024-08-03T04:36:05.086Z

Reserved: 2022-02-14T22:38:29.671Z

Link: CVE-2022-25164

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-25T00:15:09.907

Modified: 2023-06-29T08:15:10.023

Link: CVE-2022-25164

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-25164", "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "state": "PUBLISHED", "assignerShortName": "Mitsubishi", "requesterUserId": "520cc88b-a1c8-44f6-9154-21a4d74c769f", "dateReserved": "2022-02-14T22:38:29.671Z", "datePublished": "2022-11-24T23:21:25.536Z", "dateUpdated": "2024-08-03T04:36:05.086Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GX Works3", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "from 1.000A to 1.095Z"}]}, {"defaultStatus": "unaffected", "product": "MX OPC UA Module Configurator-R", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "1.08J and prior"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Mitsubishi Electric MX OPC UA Module Configurator-R versions 1.08J and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers can gain unauthorized access to the MELSEC CPU module and the MELSEC OPC UA server module."}], "value": "Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Mitsubishi Electric MX OPC UA Module Configurator-R versions 1.08J and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers can gain unauthorized access to the MELSEC CPU module and the MELSEC OPC UA server module."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi", "dateUpdated": "2023-06-29T07:41:03.163Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"}, {"tags": ["government-resource"], "url": "https://jvn.jp/vu/JVNVU97244961/index.html"}, {"tags": ["government-resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:36:05.086Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"}, {"tags": ["government-resource", "x_transferred"], "url": "https://jvn.jp/vu/JVNVU97244961/index.html"}, {"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*", "matchCriteriaId": "A868567B-2BAA-45AE-AEC9-3AFEF2361297", "versionEndIncluding": "1.011m", "versionStartIncluding": "1.000a", "vulnerable": true}, {"criteria": "cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*", "matchCriteriaId": "56BD062B-0D41-42E2-B9EF-B7FBB514CFF9", "versionEndIncluding": "1.086q", "versionStartIncluding": "1.015r", "vulnerable": true}, {"criteria": "cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7C6A654-1B83-4743-8DDE-B8C5AA5C4D2A", "versionStartIncluding": "1.087r", "vulnerable": true}, {"criteria": "cpe:2.3:a:mitsubishielectric:mx_opc_ua_module_configurator-r:-:*:*:*:*:*:*:*", "matchCriteriaId": "259C29BF-D845-42E4-8289-BD2FDBE77133", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Mitsubishi Electric MX OPC UA Module Configurator-R versions 1.08J and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers can gain unauthorized access to the MELSEC CPU module and the MELSEC OPC UA server module."}, {"lang": "es", "value": "Vulnerabilidad de almacenamiento de texto sin cifrar de informaci\u00f3n confidencial en Mitsubishi Electric GX Works3 versiones de 1.000A a 1.095Z y Mitsubishi Electric MX OPC UA Module Configurator-R versiones 1.08J y anteriores permite que un atacante remoto no autenticado revele informaci\u00f3n sensible. Como resultado, atacantes no autenticados pueden obtener acceso no autorizado al m\u00f3dulo de CPU de MELSEC y al m\u00f3dulo de servidor OPC UA de MELSEC."}], "id": "CVE-2022-25164", "lastModified": "2023-06-29T08:15:10.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}, "published": "2022-11-25T00:15:09.907", "references": [{"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://jvn.jp/vu/JVNVU97244961/index.html"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"}], "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-312"}], "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}