6.5
CVE-2022-24041
- EPSS 0.19%
- Published 10.05.2022 11:15:08
- Last modified 21.11.2024 06:49:42
- Source productcert@siemens.com
- Teams watchlist Login
- Open Login
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.
Data is provided by the National Vulnerability Database (NVD)
Siemens ≫ Desigo Pxc5 Firmware Version < 02.20.142.10-10884
Siemens ≫ Desigo Pxc4 Firmware Version < 02.20.142.10-10884
Siemens ≫ Desigo Pxc3 Firmware Version < 01.21.142.4-18
Siemens ≫ Desigo Dxr2 Firmware Version < 01.21.142.5-22
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.411 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
CWE-916 Use of Password Hash With Insufficient Computational Effort
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.