Lucene search

IcscertCVELIST:CVE-2022-3089

HistoryFeb 13, 2023 - 4:28 p.m.

CVE-2022-3089 EnOcean SmartServer Hard-coded credentials

2023-02-1316:28:57

CWE-798

icscert

www.cve.org

cve-2022-3089

enocean smartserver

hard-coded credentials

cleartext

unauthorized access

web user interface

file transfer protocol (ftp)

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H

9.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.6%

JSON

Echelon SmartServer 2.2 with i.LON Vision 2.2 stores cleartext credentials in a file, which could allow an attacker to obtain cleartext usernames and passwords of the SmartServer. If the attacker obtains the file, then the credentials could be used to control the web user interface and file transfer protocol (FTP) server.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Smartserver",
    "vendor": "EnOcean",
    "versions": [
      {
        "status": "affected",
        "version": " v2.2 SR8/SP8 (4.12.006) with i.LON Vision v2.2 SR8/SP8 (4.12.006)"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsa-23-037-01

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H

9.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.6%

JSON

Related for CVELIST:CVE-2022-3089