CVE-2022-45914

2022-11-2701:15:10

CWE-294

[email protected]

web.nvd.nist.gov

esl protocol

etag-2130-v4.3

authentication bypass

rf signals

label manipulation

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

34.0%

JSON

The ESL (Electronic Shelf Label) protocol, as implemented by (for example) the OV80e934802 RF transceiver on the ETAG-2130-V4.3 20190629 board, does not use authentication, which allows attackers to change label values via 433 MHz RF signals, as demonstrated by disrupting the organization of a hospital storage unit, or changing retail pricing.

Affected configurations

Nvd

Node

electronic_shelf_label_protocol_projectelectronic_shelf_label_protocolMatch-

VendorProductVersionCPE
electronic_shelf_label_protocol_projectelectronic_shelf_label_protocol-cpe:2.3:a:electronic_shelf_label_protocol_project:electronic_shelf_label_protocol:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
electronic_shelf_label_protocol_project	electronic_shelf_label_protocol	-	cpe:2.3:a:electronic_shelf_label_protocol_project:electronic_shelf_label_protocol:-:::::::*