7.1

CVE-2022-2513

EPSS 0.02%
Published 22.11.2022 11:15:29
Last modified 21.11.2024 07:01:09
Source cybersecurity@hitachienergy.co
Teams watchlist Login
Open Login

A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy’s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database and logs files. An attacker having get access to the exported backup file can exploit the vulnerability and obtain user credentials of the IEDs. Additionally, an attacker with administrator access to the PCM600 host machine can obtain other user credentials by analyzing database log files. The credentials may be used to perform unauthorized modifications such as loading incorrect configurations, reboot the IEDs or cause a denial-of-service on the IEDs.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Hitachienergy ≫ 650connectivitypackage Version1.3.0

Hitachienergy ≫ 650connectivitypackage Version2.1.2

Hitachienergy ≫ 650connectivitypackage Version2.2.2

Hitachienergy ≫ 650connectivitypackage Version2.3.0

Hitachienergy ≫ 650connectivitypackage Version2.4.1

Hitachienergy ≫ 670connectivitypackage Version3.0.2

Hitachienergy ≫ 670connectivitypackage Version3.1.2

Hitachienergy ≫ 670connectivitypackage Version3.2.6

Hitachienergy ≫ 670connectivitypackage Version3.3.0

Hitachienergy ≫ 670connectivitypackage Version3.4.1

Hitachienergy ≫ Gms600connectivitypackage Version1.3.0

Hitachienergy ≫ Gms600connectivitypackage Version1.3.1

Hitachienergy ≫ Pcm600 Version <= 2.11

Hitachienergy ≫ Pwc600connectivitypackage Version1.1.0

Hitachienergy ≫ Pwc600connectivitypackage Version1.1.1

Hitachienergy ≫ Pwc600connectivitypackage Version1.1.2

Hitachienergy ≫ Pwc600connectivitypackage Version1.2.0

Hitachienergy ≫ Pwc600connectivitypackage Version1.3.0

Hitachienergy ≫ Sam600ioconnectivitypackage Version1.0.0

Hitachienergy ≫ Sam600ioconnectivitypackage Version1.1.0

Hitachienergy ≫ Sam600ioconnectivitypackage Version1.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.033

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cybersecurity@hitachienergy.com	7.1	2.5	4	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

https://publisher.hitachienergy.com/preview?DocumentID=8DBD000120&LanguageCode=en&DocumentPartId=&Action=Launch

https://nvd.nist.gov/vuln/detail/CVE-2022-2513

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-2513

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-2513

EUVD