OpenCVE

An unauthorized user could alter or write files with full control over the path and content of the file.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ge	Proficy Historian

Configuration 1 [-]

cpe:2.3:a:ge:proficy_historian:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01
https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2023-01-17T23:47:18.275Z

Updated: 2024-08-03T14:39:38.606Z

Reserved: 2022-12-15T18:53:06.233Z

Link: CVE-2022-46660

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-18T00:15:12.273

Modified: 2024-11-21T07:30:51.960

Link: CVE-2022-46660

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46660", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2022-12-15T18:53:06.233Z", "datePublished": "2023-01-17T23:47:18.275Z", "dateUpdated": "2024-08-03T14:39:38.606Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Proficy Historian", "vendor": "GE Digital ", "versions": [{"status": "affected", "version": "7.0"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Uri Katz of Claroty Research reported these vulnerabilities to GE.\u00a0"}], "datePublic": "2023-01-17T23:25:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nAn unauthorized user could alter or write files with full control over the path and content of the file. \n\n \n\n"}], "value": "\nAn unauthorized user could alter or write files with full control over the path and content of the file. \n\n \n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-01-17T23:47:18.275Z"}, "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01"}, {"url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nGE Digital released <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.ge.com/digital/applications/proficy-historian\">Proficy Historian 2023</a> <span style=\"background-color: var(--wht);\">to mitigate these vulnerabilities.  SIMs have also been released for all affected versions.</span><p>Users can find out more about the vulnerabilities, how to obtain, and install the updates by visiting <a target=\"_blank\" rel=\"nofollow\" href=\"https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01\">this notification document from GE Digital</a><span style=\"background-color: var(--wht);\">.  </span></p>"}], "value": "GE Digital released Proficy Historian 2023 https://www.ge.com/digital/applications/proficy-historian \u00a0to mitigate these vulnerabilities. \u00a0SIMs have also been released for all affected versions.Users can find out more about the vulnerabilities, how to obtain, and install the updates by visiting this notification document from GE Digital https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01 .\u00a0\u00a0\n\n"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.606Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01", "tags": ["x_transferred"]}, {"url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ge:proficy_historian:*:*:*:*:*:*:*:*", "matchCriteriaId": "D11858B0-9F9F-4AA0-95DD-52365A7E18EF", "versionEndExcluding": "2023", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nAn unauthorized user could alter or write files with full control over the path and content of the file. \n\n \n\n"}, {"lang": "es", "value": "Un usuario no autorizado podr\u00eda alterar o escribir archivos con control total sobre la ruta y el contenido del archivo."}], "id": "CVE-2022-46660", "lastModified": "2024-11-21T07:30:51.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-18T00:15:12.273", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}