CVE-2022-40264 - OpenCVE

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS/Mitsubishi Electric GENESIS64 versions 10.96 to 10.97.2 allows an unauthenticated attacker to create, tamper with or destroy arbitrary files by getting a legitimate user import a project package file crafted by the attacker.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Iconics	Genesis64

Configuration 1 [-]

cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://iconics.com/About/Security/CERT
https://jvn.jp/vu/JVNVU95858406/index.html
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-014_en.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mitsubishi

Published: 2022-12-13T23:32:57.049Z

Updated: 2024-08-03T12:14:40.199Z

Reserved: 2022-09-08T19:40:16.930Z

Link: CVE-2022-40264

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-12-14T00:15:10.033

Modified: 2022-12-16T17:09:40.437

Link: CVE-2022-40264

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-40264", "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "state": "PUBLISHED", "assignerShortName": "Mitsubishi", "requesterUserId": "520cc88b-a1c8-44f6-9154-21a4d74c769f", "dateReserved": "2022-09-08T19:40:16.930Z", "datePublished": "2022-12-13T23:32:57.049Z", "dateUpdated": "2024-08-03T12:14:40.199Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GENESIS64", "vendor": "ICONICS and Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "versions 10.96 to 10.97.2"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS/Mitsubishi Electric GENESIS64 versions 10.96 to 10.97.2 allows an unauthenticated attacker to create, tamper with or destroy arbitrary files by getting a legitimate user import a project package file crafted by the attacker."}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS/Mitsubishi Electric GENESIS64 versions 10.96 to 10.97.2 allows an unauthenticated attacker to create, tamper with or destroy arbitrary files by getting a legitimate user import a project package file crafted by the attacker."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi", "dateUpdated": "2022-12-13T23:32:57.049Z"}, "references": [{"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-014_en.pdf"}, {"url": "https://jvn.jp/vu/JVNVU95858406/index.html"}, {"url": "https://iconics.com/About/Security/CERT"}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:14:40.199Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-014_en.pdf", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/vu/JVNVU95858406/index.html", "tags": ["x_transferred"]}, {"url": "https://iconics.com/About/Security/CERT", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*", "matchCriteriaId": "1C5F6808-16BA-439F-8939-6F5D1DCC3367", "versionEndIncluding": "10.97.2", "versionStartIncluding": "10.96", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS/Mitsubishi Electric GENESIS64 versions 10.96 to 10.97.2 allows an unauthenticated attacker to create, tamper with or destroy arbitrary files by getting a legitimate user import a project package file crafted by the attacker."}, {"lang": "es", "value": "Vulnerabilidad de limitaci\u00f3n inadecuada de un nombre de ruta a un directorio restringido (\"Path Traversal\") en ICONICS/Mitsubishi Electric GENESIS64 versiones 10.96 a 10.97.2 permite a un atacante no autenticado crear, manipular o destruir archivos arbitrarios haciendo que un usuario leg\u00edtimo importe un paquete de proyecto archivo creado por el atacante."}], "id": "CVE-2022-40264", "lastModified": "2022-12-16T17:09:40.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}, "published": "2022-12-14T00:15:10.033", "references": [{"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Vendor Advisory"], "url": "https://iconics.com/About/Security/CERT"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/vu/JVNVU95858406/index.html"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-014_en.pdf"}], "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}