CVE-2022-37013

2023-03-2919:15:12

CWE-835

[email protected]

web.nvd.nist.gov

cve-2022-37013

remote dos

unified automation

opc ua

c++

demo server

vulnerability

denial of service

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.003 Low

EPSS

Percentile

71.1%

JSON

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation OPC UA C++ Demo Server 1.7.6-537 [with vendor rollup]. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of certificates. A crafted certificate can force the server into an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-17203.

Affected configurations

Vulners

NVD

Node

unified_automationopc_ua_c\+\+_demo_serverRange≤1.7.6

CPENameOperatorVersion
unified-automation:opc_ua_c\+\+_demo_serverunified-automation opc ua c++ demo servereq1.7.6.537

CPE	Name	Operator	Version
unified-automation:opc_ua_c\+\+_demo_server	unified-automation opc ua c++ demo server	eq	1.7.6.537

CNA Affected

[
  {
    "vendor": "Unified Automation",
    "product": "OPC UA C++ Demo Server",
    "versions": [
      {
        "version": "1.7.6-537 [with vendor rollup]",
        "status": "affected"
      }
    ]
  }
]