CVE-2023-2622 - Vulnerability Details - OpenCVE

Authenticated clients can read arbitrary files on the MAIN Computer
system using the remote procedure call (RPC) of the InspectSetup
service endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0013.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Hitachienergy	Modular Advanced Control For Hvdc

Configuration 1 [-]

cpe:2.3:a:hitachienergy:modular_advanced_control_for_hvdc:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-34093	Authenticated clients can read arbitrary files on the MAIN Computer system using the remote procedure call (RPC) of the InspectSetup service endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true

History

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Hitachi Energy

Published: 2023-11-01T02:24:51.988Z

Updated: 2025-02-27T20:36:59.986Z

Reserved: 2023-05-10T08:59:58.079Z

Link: CVE-2023-2622

Vulnrichment

Updated: 2024-08-02T06:26:09.876Z

NVD

Status : Modified

Published: 2023-11-01T03:15:07.867

Modified: 2024-11-21T07:58:57.063

Link: CVE-2023-2622

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2622", "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17", "state": "PUBLISHED", "assignerShortName": "Hitachi Energy", "dateReserved": "2023-05-10T08:59:58.079Z", "datePublished": "2023-11-01T02:24:51.988Z", "dateUpdated": "2025-02-27T20:36:59.986Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MACH System Software", "vendor": "Hitachi Energy", "versions": [{"lessThanOrEqual": "7.18.0.0", "status": "affected", "version": "7.10.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nAuthenticated clients can read arbitrary files on the MAIN Computer\nsystem using the remote procedure call (RPC) of the InspectSetup\nservice endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.\n\n"}], "value": "\nAuthenticated clients can read arbitrary files on the MAIN Computer\nsystem using the remote procedure call (RPC) of the InspectSetup\nservice endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.\n\n"}], "impacts": [{"capecId": "CAPEC-497", "descriptions": [{"lang": "en", "value": "CAPEC-497 File Discovery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-668", "description": "CWE-668 Exposure of Resource to Wrong Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e383dce4-0c27-4495-91c4-0db157728d17", "shortName": "Hitachi Energy", "dateUpdated": "2023-11-01T02:24:51.988Z"}, "references": [{"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:26:09.876Z"}, "title": "CVE Program Container", "references": [{"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-26T21:48:42.456844Z", "id": "CVE-2023-2622", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T20:36:59.986Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2622", "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17", "state": "PUBLISHED", "assignerShortName": "Hitachi Energy", "dateReserved": "2023-05-10T08:59:58.079Z", "datePublished": "2023-11-01T02:24:51.988Z", "dateUpdated": "2025-02-27T20:36:59.986Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MACH System Software", "vendor": "Hitachi Energy", "versions": [{"lessThanOrEqual": "7.18.0.0", "status": "affected", "version": "7.10.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nAuthenticated clients can read arbitrary files on the MAIN Computer\nsystem using the remote procedure call (RPC) of the InspectSetup\nservice endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.\n\n"}], "value": "\nAuthenticated clients can read arbitrary files on the MAIN Computer\nsystem using the remote procedure call (RPC) of the InspectSetup\nservice endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.\n\n"}], "impacts": [{"capecId": "CAPEC-497", "descriptions": [{"lang": "en", "value": "CAPEC-497 File Discovery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-668", "description": "CWE-668 Exposure of Resource to Wrong Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e383dce4-0c27-4495-91c4-0db157728d17", "shortName": "Hitachi Energy", "dateUpdated": "2023-11-01T02:24:51.988Z"}, "references": [{"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:26:09.876Z"}, "title": "CVE Program Container", "references": [{"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-2622", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-26T21:48:42.456844Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-26T19:56:26.033Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hitachienergy:modular_advanced_control_for_hvdc:*:*:*:*:*:*:*:*", "matchCriteriaId": "462D2B72-044A-40AB-85F5-A2E082E04D01", "versionEndIncluding": "7.18.0.0", "versionStartIncluding": "7.10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nAuthenticated clients can read arbitrary files on the MAIN Computer\nsystem using the remote procedure call (RPC) of the InspectSetup\nservice endpoint. The low privilege client is then allowed to read arbitrary files that they do not have authorization to read.\n\n"}, {"lang": "es", "value": "Los clientes autenticados pueden leer archivos arbitrarios en el sistema inform\u00e1tico PRINCIPAL mediante Remote Procedure Call (RPC) del endpoint del servicio InspectSetup. Luego, el cliente con privilegios bajos puede leer archivos arbitrarios para los que no tiene autorizaci\u00f3n."}], "id": "CVE-2023-2622", "lastModified": "2024-11-21T07:58:57.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-01T03:15:07.867", "references": [{"source": "cybersecurity@hitachienergy.com", "tags": ["Vendor Advisory"], "url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true"}], "sourceIdentifier": "cybersecurity@hitachienergy.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}