CVE-2022-28813 - OpenCVE

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the device.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gavazziautomation	Cpy Car Park Server Uwp 3.0 Monitoring Gateway And Controller Uwp 3.0 Monitoring Gateway And Controller Firmware

Configuration 1 [-]

cpe:2.3:a:gavazziautomation:cpy_car_park_server:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:edp:*:*:*:*:*

cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:edp:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:security_enhanced:*:*:*:*:*

cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:security_enhanced:*:*:*:*:*

No data.

References

Link	Providers
https://cert.vde.com/en/advisories/VDE-2022-029/

History

No history.

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2022-09-28T00:00:00

Updated: 2024-08-03T06:03:53.135Z

Reserved: 2022-04-08T00:00:00

Link: CVE-2022-28813

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-28T14:15:10.513

Modified: 2022-12-07T03:06:34.630

Link: CVE-2022-28813

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-28813", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "assignerShortName": "CERTVDE", "dateUpdated": "2024-08-03T06:03:53.135Z", "dateReserved": "2022-04-08T00:00:00", "datePublished": "2022-09-28T00:00:00"}, "containers": {"cna": {"title": "SQL-injection in Car Park Server 3.0 allows for full database access.", "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2022-11-02T00:00:00"}, "descriptions": [{"lang": "en", "value": "In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the device."}], "affected": [{"vendor": "Carlo Gavazzi", "product": "UWP 3.0 Monitoring Gateway and Controller", "versions": [{"version": "8", "status": "affected", "lessThan": "8.5.0.3", "versionType": "custom"}]}, {"vendor": "Carlo Gavazzi", "product": "UWP 3.0 Monitoring Gateway and Controller \u2013 Security Enhanced", "versions": [{"version": "8", "status": "affected", "lessThan": "8.5.0.3", "versionType": "custom"}]}, {"vendor": "Carlo Gavazzi", "product": "UWP 3.0 Monitoring Gateway and Controller \u2013 EDP version", "versions": [{"version": "8", "status": "affected", "lessThan": "8.5.0.3", "versionType": "custom"}]}, {"vendor": "Carlo Gavazzi", "product": "CPY Car Park Server", "versions": [{"version": "2", "status": "affected", "lessThan": "2.8.3", "versionType": "custom"}]}], "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-029/"}], "credits": [{"lang": "en", "value": "Vera Mens from Claroty Research"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-89 SQL Injection", "cweId": "CWE-89"}]}], "x_generator": {"engine": "vulnogram 0.1.0-rc1"}, "source": {"advisory": "VDE-2022-029", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:03:53.135Z"}, "title": "CVE Program Container", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2022-029/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gavazziautomation:cpy_car_park_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E670508-7A94-4A01-9C2B-51E82D5A861F", "versionEndExcluding": "2.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "14B2D9AB-2D19-4AD6-A049-CDB6814CC8D0", "versionEndExcluding": "8.5.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:*:*:*:*:*:*", "matchCriteriaId": "90DBF492-5F3A-4F53-ACFC-59F89470D632", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:edp:*:*:*:*:*", "matchCriteriaId": "5BFC1445-995C-44F7-BE85-E0C1D462573E", "versionEndExcluding": "8.5.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:edp:*:*:*:*:*", "matchCriteriaId": "C7900CB8-560F-4DD7-82B9-8226A8F5F5CC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:security_enhanced:*:*:*:*:*", "matchCriteriaId": "F6584CB1-FA0B-468D-AA58-F2D2F33763AA", "versionEndExcluding": "8.5.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller:-:*:security_enhanced:*:*:*:*:*", "matchCriteriaId": "B29F6465-3533-4B50-B436-4DC4E6F1B361", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the device."}, {"lang": "es", "value": "En Carlo Gavazzi UWP versi\u00f3n 3.0 en m\u00faltiples versiones y CPY Car Park Server en versi\u00f3n 2.8.3, un atacante remoto no autenticado podr\u00eda hacer uso de una inyecci\u00f3n SQL para conseguir acceso a una base de datos temporal vol\u00e1til con los estados actuales del dispositivo"}], "id": "CVE-2022-28813", "lastModified": "2022-12-07T03:06:34.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "info@cert.vde.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2022-09-28T14:15:10.513", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2022-029/"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "info@cert.vde.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Secondary"}]}