CVE-2022-45876 - Vulnerability Details - OpenCVE

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.04597.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Visam Subscribe	Vbase Subscribe

Configuration 1 [-]

cpe:2.3:a:visam:vbase:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-48727	Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

Fixes

Solution

VISAM recommends users update to VBASE 11.7.5 or later. The update can be performed via the VBASE Editor update dialog on machines with secure access to the internet. Users of machines without internet access must manually update by submitting a request form https://www.vbase.net/en/download.php to receive a download link.For more information, users should contact VISAM using the information provided on their contact page https://www.visam.com/kontakt.php (German language).

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05
https://www.vbase.net/en/download.php
https://www.visam.com/kontakt.php

History

Fri, 17 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2023-04-26T21:07:31.302Z

Updated: 2025-01-17T17:10:14.204Z

Reserved: 2022-12-21T17:02:52.817Z

Link: CVE-2022-45876

Vulnrichment

Updated: 2024-08-03T14:24:03.202Z

NVD

Status : Modified

Published: 2023-04-26T22:15:08.737

Modified: 2025-01-17T18:15:18.117

Link: CVE-2022-45876

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-611

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-45876", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2022-12-21T17:02:52.817Z", "datePublished": "2023-04-26T21:07:31.302Z", "dateUpdated": "2025-01-17T17:10:14.204Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "VBASE", "vendor": "VISAM", "versions": [{"lessThan": "11.7.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Kimiya, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA."}], "datePublic": "2023-03-21T21:05:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.</p>"}], "value": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.\n\n"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-04-26T21:07:31.302Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"}, {"url": "https://www.visam.com/kontakt.php"}, {"url": "https://www.vbase.net/en/download.php"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nVISAM recommends users update to VBASE 11.7.5 or later. The update can \nbe performed via the VBASE Editor update dialog on machines with secure \naccess to the internet.  Users of machines without internet access must \nmanually update by submitting a <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.vbase.net/en/download.php\">request form</a> <span style=\"background-color: var(--wht);\"> to receive a download link.</span><p>For more information, users should contact VISAM using the information provided on their <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.visam.com/kontakt.php\">contact page</a> <span style=\"background-color: var(--wht);\"> (German language).</span></p>"}], "value": "VISAM recommends users update to VBASE 11.7.5 or later. The update can \nbe performed via the VBASE Editor update dialog on machines with secure \naccess to the internet. \u00a0Users of machines without internet access must \nmanually update by submitting a request form https://www.vbase.net/en/download.php \u00a0\u00a0to receive a download link.For more information, users should contact VISAM using the information provided on their contact page https://www.visam.com/kontakt.php \u00a0\u00a0(German language).\n\n"}], "source": {"discovery": "EXTERNAL"}, "title": "CVE-2022-45876", "x_generator": {"engine": "VINCE 2.0.7", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2022-45468"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:24:03.202Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05", "tags": ["x_transferred"]}, {"url": "https://www.visam.com/kontakt.php", "tags": ["x_transferred"]}, {"url": "https://www.vbase.net/en/download.php", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-17T17:01:26.608197Z", "id": "CVE-2022-45876", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-17T17:10:14.204Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05", "tags": ["x_transferred"]}, {"url": "https://www.visam.com/kontakt.php", "tags": ["x_transferred"]}, {"url": "https://www.vbase.net/en/download.php", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:24:03.202Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-45876", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-17T17:01:26.608197Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-17T17:09:45.673Z"}}], "cna": {"title": "CVE-2022-45876", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Kimiya, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA."}], "affected": [{"vendor": "VISAM", "product": "VBASE", "versions": [{"status": "affected", "version": "0", "lessThan": "11.7.5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "VISAM recommends users update to VBASE 11.7.5 or later. The update can \nbe performed via the VBASE Editor update dialog on machines with secure \naccess to the internet. \u00a0Users of machines without internet access must \nmanually update by submitting a request form https://www.vbase.net/en/download.php \u00a0\u00a0to receive a download link.For more information, users should contact VISAM using the information provided on their contact page https://www.visam.com/kontakt.php \u00a0\u00a0(German language).\n\n", "supportingMedia": [{"type": "text/html", "value": "\nVISAM recommends users update to VBASE 11.7.5 or later. The update can \nbe performed via the VBASE Editor update dialog on machines with secure \naccess to the internet.  Users of machines without internet access must \nmanually update by submitting a <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.vbase.net/en/download.php\">request form</a> <span style=\"background-color: var(--wht);\"> to receive a download link.</span><p>For more information, users should contact VISAM using the information provided on their <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.visam.com/kontakt.php\">contact page</a> <span style=\"background-color: var(--wht);\"> (German language).</span></p>", "base64": false}]}], "datePublic": "2023-03-21T21:05:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"}, {"url": "https://www.visam.com/kontakt.php"}, {"url": "https://www.vbase.net/en/download.php"}], "x_generator": {"env": "prod", "engine": "VINCE 2.0.7", "origin": "https://cveawg.mitre.org/api/cve/CVE-2022-45468"}, "descriptions": [{"lang": "en", "value": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-04-26T21:07:31.302Z"}}}, "cveMetadata": {"cveId": "CVE-2022-45876", "state": "PUBLISHED", "dateUpdated": "2025-01-17T17:10:14.204Z", "dateReserved": "2022-12-21T17:02:52.817Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2023-04-26T21:07:31.302Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:visam:vbase:*:*:*:*:*:*:*:*", "matchCriteriaId": "66698568-7086-4708-B7C9-69AAAA8104DC", "versionEndExcluding": "11.7.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.\n\n"}], "id": "CVE-2022-45876", "lastModified": "2025-01-17T18:15:18.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-04-26T22:15:08.737", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://www.vbase.net/en/download.php"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://www.visam.com/kontakt.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.vbase.net/en/download.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.visam.com/kontakt.php"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}