CVE-2022-0902

EPSS 23.79%
Veröffentlicht 21.07.2022 16:15:08
Zuletzt bearbeitet 21.11.2024 06:39:38
Quelle cybersecurity@ch.abb.com
Teams Watchlist Login
Unerledigt Login

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in flow computer and remote controller products of ABB ( RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5 , XRCG5 , uFLOG5 , UDC) allows an attacker who successfully exploited this vulnerability could insert and run arbitrary code in an affected system node.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Abb ≫ Rmc-100 Firmware Version < 2105457-037

Abb ≫ Rmc-100 Version-

Abb ≫ Rmc-100-lite Firmware Version < 2106229-011

Abb ≫ Rmc-100-lite Version-

Abb ≫ Xio Firmware Version < 2106198-008

Abb ≫ Xio Version-

Abb ≫ Xfcg5 Firmware Version < 2105805-016

Abb ≫ Xfcg5 Version-

Abb ≫ Xrcg5 Firmware Version < 2105864-016

Abb ≫ Xrcg5 Version-

Abb ≫ Uflog5 Firmware Version < 2105298-024

Abb ≫ Uflog5 Version-

Abb ≫ Udc Firmware Version < 2106177-007

Abb ≫ Udc Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	23.79%	0.958

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cybersecurity@ch.abb.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0927&LanguageCode=en&DocumentPartId=&Action=Launch&_ga

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2022-0902

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-0902

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-0902

EUVD