CVE Published: 04/11/2022 |
CVE Updated: 03/08/2024 |
CVE Year: 2022 Source: schneider |
Vendor: Schneider Electric |
Product: EcoStruxure Operator Terminal Expert Status : PUBLISHED
CVE-2022-41670 Description
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
Metrics
CVSS Version: 3.1 |
Base Score: 7 HIGH Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
l➤ Exploitability Metrics: Attack Vector (AV)* LOCAL Attack Complexity (AC)* HIGH Privileges Required (PR)* LOW User Interaction (UI)* NONE Scope (S)* UNCHANGED
l➤ Impact Metrics: Confidentiality Impact (C)* HIGH Integrity Impact (I)* HIGH Availability Impact (A)* HIGH
Weakness Enumeration (CWE)
CWE-ID: CWE-22 CWE Name: CWE-22 Improper Limitation of a Pathname to a Restricted Directory (
Path Traversal
) Source: Schneider Electric
Common Attack Pattern Enumeration and Classification (CAPEC)