CVE-2022-1118

EPSS 46.16%
Veröffentlicht 17.05.2022 20:15:08
Zuletzt bearbeitet 21.11.2024 06:40:05
Quelle ics-cert@hq.dhs.gov
Teams Watchlist Login
Unerledigt Login

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rockwellautomation ≫ Connected Component Workbench Version <= 13.00.00

Rockwellautomation ≫ Isagraf Workbench Version >= 6.0 <= 6.6.9

Rockwellautomation ≫ Safety Instrumented Systems Workstation Version <= 1.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	46.16%	0.975

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
ics-cert@hq.dhs.gov	8.6	1.8	6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.cisa.gov/uscert/ics/advisories/icsa-22-095-01

Third Party Advisory

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2022-1118

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-1118

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-1118

EUVD