CVE-2022-43457 - Vulnerability Details - OpenCVE

Description

SQL Injection in

HandlerPage_KID.ashx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network

Published: 2022-11-17

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Delta Electronics

DIAEnergie

unaffected

Version	Status	Constraints
`All`	affected	—

Configuration 1 [-]

cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Delta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-46458	SQL Injection in HandlerPage_KID.ashx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00202.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06

History

Tue, 15 Oct 2024 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Deltaww Diaenergie

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-11-17T22:45:54.782Z

Updated: 2024-10-15T18:34:46.178Z

Reserved: 2022-10-31T00:00:00.000Z

Link: CVE-2022-43457

Vulnrichment

Updated: 2024-08-03T13:32:58.898Z

NVD

Status : Modified

Published: 2022-11-17T23:15:24.203

Modified: 2024-11-21T07:26:31.470

Link: CVE-2022-43457

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-89

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [{"status": "affected", "version": "All"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "datePublic": "2022-11-10T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SQL Injection in \n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">HandlerPage_KID.ashx</span></span></span> </span></span>in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network"}], "value": "SQL Injection in \n\n\n\n\n\n\n\n\n\n\n\nHandlerPage_KID.ashx\u00a0in Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-10-26T23:06:07.637Z"}, "references": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Delta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.</span>\n\n<br>"}], "value": "Delta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates."}], "source": {"advisory": "ICSA-22-298-06", "discovery": "EXTERNAL"}, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:58.898Z"}, "title": "CVE Program Container", "references": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T17:15:59.356108Z", "id": "CVE-2022-43457", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T18:34:46.178Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "cveId": "CVE-2022-43457", "serial": 1, "state": "PUBLISHED", "dateUpdated": "2024-10-15T18:34:46.178Z", "dateReserved": "2022-10-31T00:00:00.000Z", "datePublished": "2022-11-17T22:45:54.782Z", "assignerShortName": "icscert"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:58.898Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-43457", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-15T17:15:59.356108Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T18:05:09.995Z"}}], "cna": {"title": "Delta Electronics DIAEnergie SQL Injection", "source": {"advisory": "ICSA-22-298-06", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Delta Electronics", "product": "DIAEnergie", "versions": [{"status": "affected", "version": "All"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Delta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Delta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.</span>\n\n<br>", "base64": false}]}], "datePublic": "2022-11-10T18:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "SQL Injection in \n\n\n\n\n\n\n\n\n\n\n\nHandlerPage_KID.ashx\u00a0in Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network", "supportingMedia": [{"type": "text/html", "value": "SQL Injection in \n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">HandlerPage_KID.ashx</span></span></span> </span></span>in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-10-26T23:06:07.637Z"}}}, "cveMetadata": {"cveId": "CVE-2022-43457", "state": "PUBLISHED", "serial": 1, "dateUpdated": "2024-10-15T18:34:46.178Z", "dateReserved": "2022-10-31T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-11-17T22:45:54.782Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BB46AFC-A927-4749-99C8-DC75B691BF89", "versionEndExcluding": "1.9.02.001", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SQL Injection in \n\n\n\n\n\n\n\n\n\n\n\nHandlerPage_KID.ashx\u00a0in Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network"}, {"lang": "es", "value": "La inyecci\u00f3n SQL en HandlerPage_KID.ashx en versiones de Delta Electronics DIAEnergie anteriores a la v1.9.02.001 permite a un atacante inyectar consultas SQL a trav\u00e9s de la red"}], "id": "CVE-2022-43457", "lastModified": "2024-11-21T07:26:31.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-17T23:15:24.203", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}