Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveHitachi EnergyCVE-2022-2155
HistoryJan 12, 2023 - 3:15 p.m.

CVE-2022-2155

2023-01-1215:15:09
CWE-863
Hitachi Energy
web.nvd.nist.gov
22
lumada apm
user asset group
access control
power bi
vulnerability
security issue
cpe
cve-2022-2155

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

28.2%

JSON

A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature
due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports
feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining
unauthorized access to any Power BI reports installed by the customer.

Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.

Affected versions

  • Lumada APM on-premises version 6.0.0.0 - 6.4.0.*

List of CPEs:

  • cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:::::::*
  • cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:::::::*
  • cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:::::::*
  • cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:::::::*
  • cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:::::::*

Affected configurations

Nvd
Node
hitachienergylumada_asset_performance_managementRange6.0.0.06.4.0.1on-premises
VendorProductVersionCPE
hitachienergylumada_asset_performance_management*cpe:2.3:a:hitachienergy:lumada_asset_performance_management:*:*:*:*:on-premises:*:*:*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Lumada APM",
    "vendor": "Hitachi Energy",
    "versions": [
      {
        "status": "affected",
        "version": "6.0.0.*"
      },
      {
        "status": "affected",
        "version": "6.1.0.*"
      },
      {
        "status": "affected",
        "version": "6.2.0.*"
      },
      {
        "status": "affected",
        "version": "6.3.0.*"
      },
      {
        "status": "affected",
        "version": "6.4.0.0"
      },
      {
        "status": "unaffected",
        "version": "6.4.0.1"
      },
      {
        "status": "unaffected",
        "version": "6.5.0.0"
      }
    ]
  }
]

Related

nvd 1
ics 1
prion 1
cvelist 1
nvd
nvd
CVE-2022-2155
2023-01-12 15:15:09
ics
ics
Hitachi Energy Lumada APM
2023-01-12 12:00:00
prion
prion
Design/Logic Flaw
2023-01-12 15:15:00
cvelist
cvelist
CVE-2022-2155 A vulnerability exists in the Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role.
2023-01-12 14:01:51

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

28.2%

JSON
Related for CVE-2022-2155
nvd1ics1prion1cvelist1