Lucene search

K
nvd[email protected]NVD:CVE-2022-24043
HistoryMay 20, 2022 - 1:15 p.m.

CVE-2022-24043

2022-05-2013:15:14
CWE-203
web.nvd.nist.gov
2
vulnerability
desigo dxr2
desigo pxc3
username enumeration

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

31.3%

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The login functionality of the application fails to normalize the response times of login attempts performed with wrong usernames with the ones executed with correct usernames. A remote unauthenticated attacker could exploit this side-channel information to perform a username enumeration attack and identify valid usernames.

Affected configurations

Nvd
Node
siemensdesigo_dxr2_firmwareRange<01.21.142.5-22
AND
siemensdesigo_dxr2Match-
Node
siemensdesigo_pxc3_firmwareRange<01.21.142.4-18
AND
siemensdesigo_pxc3Match-
Node
siemensdesigo_pxc4_firmwareRange<02.20.142.10-10884
AND
siemensdesigo_pxc4Match-
Node
siemensdesigo_pxc5_firmwareRange<02.20.142.10-10884
AND
siemensdesigo_pxc5Match-
VendorProductVersionCPE
siemensdesigo_dxr2_firmware*cpe:2.3:o:siemens:desigo_dxr2_firmware:*:*:*:*:*:*:*:*
siemensdesigo_dxr2-cpe:2.3:h:siemens:desigo_dxr2:-:*:*:*:*:*:*:*
siemensdesigo_pxc3_firmware*cpe:2.3:o:siemens:desigo_pxc3_firmware:*:*:*:*:*:*:*:*
siemensdesigo_pxc3-cpe:2.3:h:siemens:desigo_pxc3:-:*:*:*:*:*:*:*
siemensdesigo_pxc4_firmware*cpe:2.3:o:siemens:desigo_pxc4_firmware:*:*:*:*:*:*:*:*
siemensdesigo_pxc4-cpe:2.3:h:siemens:desigo_pxc4:-:*:*:*:*:*:*:*
siemensdesigo_pxc5_firmware*cpe:2.3:o:siemens:desigo_pxc5_firmware:*:*:*:*:*:*:*:*
siemensdesigo_pxc5-cpe:2.3:h:siemens:desigo_pxc5:-:*:*:*:*:*:*:*

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

31.3%

Related for NVD:CVE-2022-24043