OpenCVE

RONDS EPM version 1.19.5 does not properly validate the filename parameter, which could allow an unauthorized user to specify file paths and download files.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ronds	Equipment Predictive Maintenance

Configuration 1 [-]

cpe:2.3:a:ronds:equipment_predictive_maintenance:1.19.5:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2023-01-17T16:19:05.745Z

Updated: 2024-08-03T00:53:00.205Z

Reserved: 2022-08-18T22:34:51.784Z

Link: CVE-2022-2893

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-17T17:15:11.333

Modified: 2024-11-21T07:01:53.153

Link: CVE-2022-2893

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-2893", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2022-08-18T22:34:51.784Z", "datePublished": "2023-01-17T16:19:05.745Z", "dateUpdated": "2024-08-03T00:53:00.205Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Equipment Predictive Maintenance Solution", "vendor": "RONDS", "versions": [{"status": "affected", "version": "1.19.5 "}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "TsungShu Chiu of CHT Security reported these vulnerabilities to CISA. "}], "datePublic": "2023-01-12T16:17:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nRONDS EPM version 1.19.5 does not properly validate the filename \nparameter, which could allow an unauthorized user to specify file paths \nand download files.  \n\n<p></p>"}], "value": "RONDS EPM version 1.19.5 does not properly validate the filename \nparameter, which could allow an unauthorized user to specify file paths \nand download files. \u00a0\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-01-17T16:19:05.745Z"}, "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>RONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.</p>"}], "value": "\nRONDS provides the software to users that purchase their products and recommends users upgrade the software to version 1.35.21.\n\n"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:53:00.205Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ronds:equipment_predictive_maintenance:1.19.5:*:*:*:*:*:*:*", "matchCriteriaId": "E989C2F6-A2EA-4CD9-B058-07164859F438", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "RONDS EPM version 1.19.5 does not properly validate the filename \nparameter, which could allow an unauthorized user to specify file paths \nand download files. \u00a0\n\n\n\n"}, {"lang": "es", "value": "RONDS EPM versi\u00f3n 1.19.5 no valida correctamente el par\u00e1metro de nombre de archivo, lo que podr\u00eda permitir a un usuario no autorizado especificar rutas de archivo y descargar archivos."}], "id": "CVE-2022-2893", "lastModified": "2024-11-21T07:01:53.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-17T17:15:11.333", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}