CVE-2022-40282

2022-11-2505:15:13

[email protected]

web.nvd.nist.gov

hirschmann bat-c2 web server

authenticated command injection

shell commands

fscreatedir ajax function

security vulnerability

bsecv-2022-21.

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

68.3%

JSON

The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter of the FsCreateDir Ajax function is not sufficiently sanitized. The vendor’s ID is BSECV-2022-21.

Affected configurations

Nvd

Node

beldenhirschmann_bat-c2_firmwareRange<09.13.00r04

AND

beldenhirschmann_bat-c2Match-

VendorProductVersionCPE
beldenhirschmann_bat-c2_firmware*cpe:2.3:o:belden:hirschmann_bat-c2_firmware:*:*:*:*:*:*:*:*
beldenhirschmann_bat-c2-cpe:2.3:h:belden:hirschmann_bat-c2:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
belden	hirschmann_bat-c2_firmware	*	cpe:2.3:o:belden:hirschmann_bat-c2_firmware::::::::
belden	hirschmann_bat-c2	-	cpe:2.3:h:belden:hirschmann_bat-c2:-:::::::*