CVE-2022-1118 Vulnerability Details

  /     /     /  

CVE-2022-1118 Metadata Quick Info

CVE Published: 17/05/2022 | CVE Updated: 02/08/2024 | CVE Year: 2022
Source: icscert | Vendor: Rockwell Automation | Product: Connected Component Workbench
Status : PUBLISHED

---

CVE-2022-1118 Description

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited

Metrics

CVSS Version: 3.1 | Base Score: 8.6 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* LOCAL
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-502
CWE Name: CWE-502 Deserialization of Untrusted Data
Source: Rockwell Automation

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).