CVE-2022-34383 - OpenCVE

Dell Edge Gateway 5200 (EGW) versions before 1.03.10 contain an operating system command injection vulnerability. A local malicious user may potentially exploit this vulnerability by using an SMI to bypass PMC mitigation and gain arbitrary code execution during SMM.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Edge Gateway 5200 Edge Gateway 5200 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:dell:edge_gateway_5200:-:*:*:*:*:*:*:*

cpe:2.3:o:dell:edge_gateway_5200_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.dell.com/support/kbdoc/en-us/000202711

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2022-08-31T20:05:16.529653Z

Updated: 2024-09-16T23:35:34.303Z

Reserved: 2022-06-23T00:00:00

Link: CVE-2022-34383

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-31T20:15:08.747

Modified: 2022-09-07T17:30:56.257

Link: CVE-2022-34383

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Edge Gateway 5200", "vendor": "Dell", "versions": [{"lessThan": "1.03.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-08-24T00:00:00", "descriptions": [{"lang": "en", "value": "Dell Edge Gateway 5200 (EGW) versions before 1.03.10 contain an operating system command injection vulnerability. A local malicious user may potentially exploit this vulnerability by using an SMI to bypass PMC mitigation and gain arbitrary code execution during SMM."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-31T20:05:16", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.dell.com/support/kbdoc/en-us/000202711"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "DATE_PUBLIC": "2022-08-24", "ID": "CVE-2022-34383", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Edge Gateway 5200", "version": {"version_data": [{"version_affected": "<", "version_value": "1.03.10"}]}}]}, "vendor_name": "Dell"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dell Edge Gateway 5200 (EGW) versions before 1.03.10 contain an operating system command injection vulnerability. A local malicious user may potentially exploit this vulnerability by using an SMI to bypass PMC mitigation and gain arbitrary code execution during SMM."}]}, "impact": {"cvss": {"baseScore": 8.1, "baseSeverity": "High", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://www.dell.com/support/kbdoc/en-us/000202711", "refsource": "MISC", "url": "https://www.dell.com/support/kbdoc/en-us/000202711"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:07:16.231Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.dell.com/support/kbdoc/en-us/000202711"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2022-34383", "datePublished": "2022-08-31T20:05:16.529653Z", "dateReserved": "2022-06-23T00:00:00", "dateUpdated": "2024-09-16T23:35:34.303Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:dell:edge_gateway_5200:-:*:*:*:*:*:*:*", "matchCriteriaId": "F6832A53-E950-4572-A178-CF5DC14CACC5", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:dell:edge_gateway_5200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D017E208-1233-450E-AA08-0273D6A98916", "versionEndExcluding": "1.03.10", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Edge Gateway 5200 (EGW) versions before 1.03.10 contain an operating system command injection vulnerability. A local malicious user may potentially exploit this vulnerability by using an SMI to bypass PMC mitigation and gain arbitrary code execution during SMM."}, {"lang": "es", "value": "Dell Edge Gateway 5200 (EGW) versiones anteriores a 1.03.10, contienen una vulnerabilidad de inyecci\u00f3n de comandos en el sistema operativo. Un usuario local malicioso puede explotar potencialmente esta vulnerabilidad al usar un SMI para omitir la mitigaci\u00f3n del PMC y conseguir una ejecuci\u00f3n de c\u00f3digo arbitrario durante el SMM"}], "id": "CVE-2022-34383", "lastModified": "2022-09-07T17:30:56.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2022-08-31T20:15:08.747", "references": [{"source": "security_alert@emc.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000202711"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "security_alert@emc.com", "type": "Secondary"}]}