Lucene search

[email protected]CVE-2022-24040

HistoryMay 10, 2022 - 11:15 a.m.

CVE-2022-24040

2022-05-1011:15:08

CWE-400

[email protected]

web.nvd.nist.gov

cve-2022-24040

vulnerability

desigo dxr2

desigo pxc3

desigo pxc4

desigo pxc5

web application

dos

cpu consumption

nvd

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.1%

JSON

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account. An attacker with the user profile access privilege could cause a denial of service (DoS) condition through CPU consumption by setting a PBKDF2 derived key with a remarkably high cost effort and then attempting a login to the so-modified account.

Affected configurations

NVD

Node

siemensdesigo_pxc5_firmwareRange<02.20.142.10-10884

AND

siemensdesigo_pxc5Match-

Node

siemensdesigo_pxc4_firmwareRange<02.20.142.10-10884

AND

siemensdesigo_pxc4Match-

Node

siemensdesigo_pxc3_firmwareRange<01.21.142.4-18

AND

siemensdesigo_pxc3Match-

Node

siemensdesigo_dxr2_firmwareRange<01.21.142.5-22

AND

siemensdesigo_dxr2Match-

CPENameOperatorVersion
siemens:desigo_pxc5_firmwaresiemens desigo pxc5 firmwarelt02.20.142.10-10884

CPE	Name	Operator	Version
siemens:desigo_pxc5_firmware	siemens desigo pxc5 firmware	lt	02.20.142.10-10884

CNA Affected

[
  {
    "product": "Desigo DXR2",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V01.21.142.5-22"
      }
    ]
  },
  {
    "product": "Desigo PXC3",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V01.21.142.4-18"
      }
    ]
  },
  {
    "product": "Desigo PXC4",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V02.20.142.10-10884"
      }
    ]
  },
  {
    "product": "Desigo PXC5",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V02.20.142.10-10884"
      }
    ]
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf

Social References

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.1%

JSON

Related for CVE-2022-24040

nvd1 prion1 nessus1 cvelist1 ics1