CVE-2022-46331 - Vulnerability Details - OpenCVE

Description

An unauthorized user could possibly delete any file on the system.

Published: 2023-01-17

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GE Digital

Proficy Historian

unaffected

Version	Status	Constraints
`7.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:ge:proficy_historian:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

GE Digital released Proficy Historian 2023 https://www.ge.com/digital/applications/proficy-historian to mitigate these vulnerabilities. SIMs have also been released for all affected versions.Users can find out more about the vulnerabilities, how to obtain, and install the updates by visiting this notification document from GE Digital https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01 .

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-49148	An unauthorized user could possibly delete any file on the system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00169.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01
https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01

History

Thu, 16 Jan 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Ge Proficy Historian

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2023-01-17T23:49:42.351Z

Updated: 2025-01-16T22:00:49.355Z

Reserved: 2022-12-15T18:53:06.219Z

Link: CVE-2022-46331

Vulnrichment

Updated: 2024-08-03T14:31:46.209Z

NVD

Status : Modified

Published: 2023-01-18T00:15:12.183

Modified: 2024-11-21T07:30:24.230

Link: CVE-2022-46331

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46331", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2022-12-15T18:53:06.219Z", "datePublished": "2023-01-17T23:49:42.351Z", "dateUpdated": "2025-01-16T22:00:49.355Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Proficy Historian", "vendor": "GE Digital ", "versions": [{"status": "affected", "version": "7.0"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Uri Katz of Claroty Research reported these vulnerabilities to GE.\u00a0"}], "datePublic": "2023-01-17T23:25:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\nAn unauthorized user could possibly delete any file on the system. \n\n \n\n \n\n \n\n"}], "value": "\n\n\nAn unauthorized user could possibly delete any file on the system. \n\n \n\n \n\n \n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-01-17T23:49:42.351Z"}, "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01"}, {"url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nGE Digital released <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ge.com/digital/applications/proficy-historian\">Proficy Historian 2023</a> <span style=\"background-color: var(--wht);\">to mitigate these vulnerabilities.  SIMs have also been released for all affected versions.</span><p>Users can find out more about the vulnerabilities, how to obtain, and install the updates by visiting <a target=\"_blank\" rel=\"nofollow\" href=\"https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01\">this notification document from GE Digital</a><span style=\"background-color: var(--wht);\">.  </span></p>"}], "value": "GE Digital released Proficy Historian 2023 https://www.ge.com/digital/applications/proficy-historian \u00a0to mitigate these vulnerabilities. \u00a0SIMs have also been released for all affected versions.Users can find out more about the vulnerabilities, how to obtain, and install the updates by visiting this notification document from GE Digital https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01 .\u00a0\u00a0\n\n"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:31:46.209Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01", "tags": ["x_transferred"]}, {"url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-16T20:57:10.842351Z", "id": "CVE-2022-46331", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T22:00:49.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01", "tags": ["x_transferred"]}, {"url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:31:46.209Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-46331", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-16T20:57:10.842351Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T20:57:12.243Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Uri Katz of Claroty Research reported these vulnerabilities to GE.\u00a0"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GE Digital ", "product": "Proficy Historian", "versions": [{"status": "affected", "version": "7.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "GE Digital released Proficy Historian 2023 https://www.ge.com/digital/applications/proficy-historian \u00a0to mitigate these vulnerabilities. \u00a0SIMs have also been released for all affected versions.Users can find out more about the vulnerabilities, how to obtain, and install the updates by visiting this notification document from GE Digital https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01 .\u00a0\u00a0\n\n", "supportingMedia": [{"type": "text/html", "value": "\nGE Digital released <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ge.com/digital/applications/proficy-historian\">Proficy Historian 2023</a> <span style=\"background-color: var(--wht);\">to mitigate these vulnerabilities.  SIMs have also been released for all affected versions.</span><p>Users can find out more about the vulnerabilities, how to obtain, and install the updates by visiting <a target=\"_blank\" rel=\"nofollow\" href=\"https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01\">this notification document from GE Digital</a><span style=\"background-color: var(--wht);\">.  </span></p>", "base64": false}]}], "datePublic": "2023-01-17T23:25:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01"}, {"url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\n\n\nAn unauthorized user could possibly delete any file on the system. \n\n \n\n \n\n \n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n\n\nAn unauthorized user could possibly delete any file on the system. \n\n \n\n \n\n \n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-01-17T23:49:42.351Z"}}}, "cveMetadata": {"cveId": "CVE-2022-46331", "state": "PUBLISHED", "dateUpdated": "2025-01-16T22:00:49.355Z", "dateReserved": "2022-12-15T18:53:06.219Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2023-01-17T23:49:42.351Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ge:proficy_historian:*:*:*:*:*:*:*:*", "matchCriteriaId": "D11858B0-9F9F-4AA0-95DD-52365A7E18EF", "versionEndExcluding": "2023", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\n\n\nAn unauthorized user could possibly delete any file on the system. \n\n \n\n \n\n \n\n"}, {"lang": "es", "value": "Un usuario no autorizado posiblemente podr\u00eda eliminar cualquier archivo del sistema."}], "id": "CVE-2022-46331", "lastModified": "2024-11-21T07:30:24.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-18T00:15:12.183", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}