Lucene search

K
cve[email protected]CVE-2022-43514
HistoryJan 10, 2023 - 12:15 p.m.

CVE-2022-43514

2023-01-1012:15:23
CWE-22
web.nvd.nist.gov
65
cve-2022-43514
automation license manager
vulnerability
remote code execution
nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.015 Low

EPSS

Percentile

86.8%

A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions < V6.0 SP9 Upd4), TeleControl Server Basic V3 (All versions < V3.1.2). The affected component does not correctly validate the root path on folder related operations, allowing to modify files and folders outside the intended root directory.
This could allow an unauthenticated remote attacker to execute file operations of files outside of the specified root folder. Chained with CVE-2022-43513 this could allow Remote Code Execution.

Affected configurations

NVD
Node
siemensautomation_license_managerMatch5.0.0
OR
siemensautomation_license_managerMatch5.1
OR
siemensautomation_license_managerMatch5.1sp1
OR
siemensautomation_license_managerMatch5.2
OR
siemensautomation_license_managerMatch5.3
OR
siemensautomation_license_managerMatch5.3sp3
OR
siemensautomation_license_managerMatch5.3.4.4
OR
siemensautomation_license_managerMatch6.0
OR
siemensautomation_license_managerMatch6.0.1
OR
siemensautomation_license_managerMatch6.0.8
OR
siemensautomation_license_managerMatch6.0.9

CNA Affected

[
  {
    "vendor": "Siemens",
    "product": "Automation License Manager V5",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "*",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "Automation License Manager V6",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V6.0 SP9 Upd4"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "TeleControl Server Basic V3",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "V3.1.2",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.015 Low

EPSS

Percentile

86.8%