Search criteria
8 vulnerabilities found for Controller CECC-X-M1 (4407603) by Festo
CVE-2022-30311 (GCVE-0-2022-30311)
Vulnerability from nvd – Published: 2022-06-13 13:45 – Updated: 2024-09-16 23:41
VLAI
Title
FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability
Summary
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
Severity
9.8 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.vde.com/en/advisories/VDE-2022-020/ | x_refsource_CONFIRM |
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Festo | Controller CECC-X-M1 (4407603) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1 (8124922) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV (4407605) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV (8124923) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV-S1 (4407606) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV-S1 (8124924) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-YS-L1 (8082793) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-YS-L2 (8082794) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-Y-YJKP (4803891) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP (8077950) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP- (8058596) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
Date Public
2022-06-07 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:35.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (4407603)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (8124922)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (4407605)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (8124923)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (4407606)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (8124924)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L1 (8082793)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L2 (8082794)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-Y-YJKP (4803891)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP (8077950)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP- (8058596)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"datePublic": "2022-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \u0026quot;cecc-x-refresh-request\u0026quot; POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.\u003c/p\u003e"
}
],
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-refresh-request\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-10T07:36:02.588Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
},
"title": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2022-06-08T08:00:00.000Z",
"ID": "CVE-2022-30311",
"STATE": "PUBLIC",
"TITLE": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Controller CECC-X-M1 (4407603)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1 (8124922)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (4407605)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (8124923)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (4407606)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (8124924)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L1 (8082793)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L2 (8082794)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-Y-YJKP (4803891)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP (8077950)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP- (8058596)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
}
]
},
"vendor_name": "Festo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-refresh-request\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert.vde.com/en/advisories/VDE-2022-020/",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
]
},
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-30311",
"datePublished": "2022-06-13T13:45:24.763Z",
"dateReserved": "2022-05-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:41:46.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30310 (GCVE-0-2022-30310)
Vulnerability from nvd – Published: 2022-06-13 13:45 – Updated: 2024-11-20 15:21
VLAI
Title
FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability
Summary
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-acknerr-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
Severity
9.8 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.vde.com/en/advisories/VDE-2022-020/ | x_refsource_CONFIRM |
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Festo | Controller CECC-X-M1 (4407603) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1 (8124922) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV (4407605) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV (8124923) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV-S1 (4407606) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV-S1 (8124924) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-YS-L1 (8082793) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-YS-L2 (8082794) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-Y-YJKP (4803891) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP (8077950) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP- (8058596) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
Date Public
2022-06-07 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:35.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-30310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-16T16:41:19.148257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:21:04.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (4407603)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (8124922)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (4407605)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (8124923)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (4407606)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (8124924)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L1 (8082793)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L2 (8082794)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-Y-YJKP (4803891)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP (8077950)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP- (8058596)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"datePublic": "2022-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \u0026quot;cecc-x-acknerr-request\u0026quot; POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.\u003c/p\u003e"
}
],
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-acknerr-request\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-10T07:35:23.988Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
},
"title": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2022-06-08T08:00:00.000Z",
"ID": "CVE-2022-30310",
"STATE": "PUBLIC",
"TITLE": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Controller CECC-X-M1 (4407603)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1 (8124922)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (4407605)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (8124923)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (4407606)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (8124924)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L1 (8082793)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L2 (8082794)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-Y-YJKP (4803891)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP (8077950)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP- (8058596)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
}
]
},
"vendor_name": "Festo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-acknerr-request\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert.vde.com/en/advisories/VDE-2022-020/",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
]
},
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-30310",
"datePublished": "2022-06-13T13:45:23.105Z",
"dateReserved": "2022-05-06T00:00:00.000Z",
"dateUpdated": "2024-11-20T15:21:04.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30309 (GCVE-0-2022-30309)
Vulnerability from nvd – Published: 2022-06-13 13:45 – Updated: 2024-09-16 22:15
VLAI
Title
FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability
Summary
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
Severity
9.8 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.vde.com/en/advisories/VDE-2022-020/ | x_refsource_CONFIRM |
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Festo | Controller CECC-X-M1 (4407603) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1 (8124922) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV (4407605) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV (8124923) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV-S1 (4407606) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV-S1 (8124924) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-YS-L1 (8082793) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-YS-L2 (8082794) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-Y-YJKP (4803891) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP (8077950) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP- (8058596) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
Date Public
2022-06-07 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:35.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (4407603)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (8124922)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (4407605)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (8124923)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (4407606)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (8124924)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L1 (8082793)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L2 (8082794)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-Y-YJKP (4803891)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP (8077950)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP- (8058596)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"datePublic": "2022-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \u0026quot;cecc-x-web-viewer-request-off\u0026quot; POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.\u003c/p\u003e"
}
],
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-web-viewer-request-off\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-10T07:35:06.910Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
},
"title": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2022-06-08T08:00:00.000Z",
"ID": "CVE-2022-30309",
"STATE": "PUBLIC",
"TITLE": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Controller CECC-X-M1 (4407603)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1 (8124922)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (4407605)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (8124923)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (4407606)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (8124924)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L1 (8082793)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L2 (8082794)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-Y-YJKP (4803891)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP (8077950)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP- (8058596)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
}
]
},
"vendor_name": "Festo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-web-viewer-request-off\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert.vde.com/en/advisories/VDE-2022-020/",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
]
},
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-30309",
"datePublished": "2022-06-13T13:45:21.634Z",
"dateReserved": "2022-05-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:15:41.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30308 (GCVE-0-2022-30308)
Vulnerability from nvd – Published: 2022-06-13 13:45 – Updated: 2024-09-16 22:40
VLAI
Title
FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability
Summary
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
Severity
9.8 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.vde.com/en/advisories/VDE-2022-020/ | x_refsource_CONFIRM |
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Festo | Controller CECC-X-M1 (4407603) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1 (8124922) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV (4407605) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV (8124923) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV-S1 (4407606) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV-S1 (8124924) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-YS-L1 (8082793) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-YS-L2 (8082794) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-Y-YJKP (4803891) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP (8077950) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP- (8058596) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
Date Public
2022-06-07 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:35.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (4407603)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (8124922)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (4407605)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (8124923)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (4407606)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (8124924)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L1 (8082793)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L2 (8082794)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-Y-YJKP (4803891)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP (8077950)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP- (8058596)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"datePublic": "2022-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \u0026quot;cecc-x-web-viewer-request-on\u0026quot; POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.\u003c/p\u003e"
}
],
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-web-viewer-request-on\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-10T07:34:11.747Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
},
"title": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2022-06-08T08:00:00.000Z",
"ID": "CVE-2022-30308",
"STATE": "PUBLIC",
"TITLE": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Controller CECC-X-M1 (4407603)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1 (8124922)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (4407605)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (8124923)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (4407606)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (8124924)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L1 (8082793)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L2 (8082794)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-Y-YJKP (4803891)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP (8077950)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP- (8058596)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
}
]
},
"vendor_name": "Festo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-web-viewer-request-on\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert.vde.com/en/advisories/VDE-2022-020/",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
]
},
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-30308",
"datePublished": "2022-06-13T13:45:20.015Z",
"dateReserved": "2022-05-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:40:02.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30311 (GCVE-0-2022-30311)
Vulnerability from cvelistv5 – Published: 2022-06-13 13:45 – Updated: 2024-09-16 23:41
VLAI
Title
FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability
Summary
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
Severity
9.8 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.vde.com/en/advisories/VDE-2022-020/ | x_refsource_CONFIRM |
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Festo | Controller CECC-X-M1 (4407603) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1 (8124922) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV (4407605) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV (8124923) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV-S1 (4407606) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV-S1 (8124924) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-YS-L1 (8082793) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-YS-L2 (8082794) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-Y-YJKP (4803891) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP (8077950) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP- (8058596) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
Date Public
2022-06-07 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:35.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (4407603)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (8124922)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (4407605)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (8124923)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (4407606)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (8124924)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L1 (8082793)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L2 (8082794)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-Y-YJKP (4803891)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP (8077950)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP- (8058596)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"datePublic": "2022-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \u0026quot;cecc-x-refresh-request\u0026quot; POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.\u003c/p\u003e"
}
],
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-refresh-request\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-10T07:36:02.588Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
},
"title": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2022-06-08T08:00:00.000Z",
"ID": "CVE-2022-30311",
"STATE": "PUBLIC",
"TITLE": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Controller CECC-X-M1 (4407603)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1 (8124922)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (4407605)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (8124923)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (4407606)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (8124924)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L1 (8082793)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L2 (8082794)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-Y-YJKP (4803891)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP (8077950)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP- (8058596)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
}
]
},
"vendor_name": "Festo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-refresh-request\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert.vde.com/en/advisories/VDE-2022-020/",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
]
},
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-30311",
"datePublished": "2022-06-13T13:45:24.763Z",
"dateReserved": "2022-05-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:41:46.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30310 (GCVE-0-2022-30310)
Vulnerability from cvelistv5 – Published: 2022-06-13 13:45 – Updated: 2024-11-20 15:21
VLAI
Title
FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability
Summary
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-acknerr-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
Severity
9.8 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.vde.com/en/advisories/VDE-2022-020/ | x_refsource_CONFIRM |
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Festo | Controller CECC-X-M1 (4407603) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1 (8124922) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV (4407605) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV (8124923) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV-S1 (4407606) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV-S1 (8124924) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-YS-L1 (8082793) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-YS-L2 (8082794) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-Y-YJKP (4803891) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP (8077950) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP- (8058596) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
Date Public
2022-06-07 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:35.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-30310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-16T16:41:19.148257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:21:04.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (4407603)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (8124922)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (4407605)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (8124923)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (4407606)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (8124924)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L1 (8082793)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L2 (8082794)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-Y-YJKP (4803891)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP (8077950)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP- (8058596)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"datePublic": "2022-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \u0026quot;cecc-x-acknerr-request\u0026quot; POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.\u003c/p\u003e"
}
],
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-acknerr-request\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-10T07:35:23.988Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
},
"title": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2022-06-08T08:00:00.000Z",
"ID": "CVE-2022-30310",
"STATE": "PUBLIC",
"TITLE": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Controller CECC-X-M1 (4407603)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1 (8124922)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (4407605)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (8124923)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (4407606)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (8124924)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L1 (8082793)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L2 (8082794)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-Y-YJKP (4803891)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP (8077950)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP- (8058596)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
}
]
},
"vendor_name": "Festo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-acknerr-request\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert.vde.com/en/advisories/VDE-2022-020/",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
]
},
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-30310",
"datePublished": "2022-06-13T13:45:23.105Z",
"dateReserved": "2022-05-06T00:00:00.000Z",
"dateUpdated": "2024-11-20T15:21:04.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30309 (GCVE-0-2022-30309)
Vulnerability from cvelistv5 – Published: 2022-06-13 13:45 – Updated: 2024-09-16 22:15
VLAI
Title
FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability
Summary
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
Severity
9.8 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.vde.com/en/advisories/VDE-2022-020/ | x_refsource_CONFIRM |
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Festo | Controller CECC-X-M1 (4407603) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1 (8124922) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV (4407605) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV (8124923) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV-S1 (4407606) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV-S1 (8124924) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-YS-L1 (8082793) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-YS-L2 (8082794) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-Y-YJKP (4803891) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP (8077950) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP- (8058596) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
Date Public
2022-06-07 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:35.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (4407603)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (8124922)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (4407605)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (8124923)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (4407606)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (8124924)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L1 (8082793)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L2 (8082794)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-Y-YJKP (4803891)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP (8077950)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP- (8058596)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"datePublic": "2022-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \u0026quot;cecc-x-web-viewer-request-off\u0026quot; POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.\u003c/p\u003e"
}
],
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-web-viewer-request-off\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-10T07:35:06.910Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
},
"title": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2022-06-08T08:00:00.000Z",
"ID": "CVE-2022-30309",
"STATE": "PUBLIC",
"TITLE": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Controller CECC-X-M1 (4407603)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1 (8124922)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (4407605)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (8124923)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (4407606)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (8124924)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L1 (8082793)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L2 (8082794)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-Y-YJKP (4803891)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP (8077950)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP- (8058596)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
}
]
},
"vendor_name": "Festo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-web-viewer-request-off\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert.vde.com/en/advisories/VDE-2022-020/",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
]
},
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-30309",
"datePublished": "2022-06-13T13:45:21.634Z",
"dateReserved": "2022-05-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:15:41.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30308 (GCVE-0-2022-30308)
Vulnerability from cvelistv5 – Published: 2022-06-13 13:45 – Updated: 2024-09-16 22:40
VLAI
Title
FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability
Summary
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
Severity
9.8 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.vde.com/en/advisories/VDE-2022-020/ | x_refsource_CONFIRM |
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Festo | Controller CECC-X-M1 (4407603) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1 (8124922) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV (4407605) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV (8124923) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-MV-S1 (4407606) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-MV-S1 (8124924) |
Affected:
4.0.14
|
|
| Festo | Controller CECC-X-M1-YS-L1 (8082793) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-YS-L2 (8082794) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Controller CECC-X-M1-Y-YJKP (4803891) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP (8077950) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
|
| Festo | Servo Press Kit YJKP- (8058596) |
Affected:
3.0.0 , ≤ 3.8.14
(custom)
|
Date Public
2022-06-07 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:35.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (4407603)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1 (8124922)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (4407605)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV (8124923)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (4407606)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-MV-S1 (8124924)",
"vendor": "Festo",
"versions": [
{
"status": "affected",
"version": "4.0.14"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L1 (8082793)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-YS-L2 (8082794)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Controller CECC-X-M1-Y-YJKP (4803891)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP (8077950)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Servo Press Kit YJKP- (8058596)",
"vendor": "Festo",
"versions": [
{
"lessThanOrEqual": "3.8.14",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"datePublic": "2022-06-07T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \u0026quot;cecc-x-web-viewer-request-on\u0026quot; POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.\u003c/p\u003e"
}
],
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-web-viewer-request-on\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-10T07:34:11.747Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
],
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
},
"title": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2022-06-08T08:00:00.000Z",
"ID": "CVE-2022-30308",
"STATE": "PUBLIC",
"TITLE": "FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Controller CECC-X-M1 (4407603)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1 (8124922)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (4407605)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV (8124923)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (4407606)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-MV-S1 (8124924)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "4.0.14",
"version_value": "4.0.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L1 (8082793)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-YS-L2 (8082794)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Controller CECC-X-M1-Y-YJKP (4803891)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP (8077950)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
},
{
"product_name": "Servo Press Kit YJKP- (8058596)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.0.0",
"version_value": "3.8.14"
}
]
}
}
]
},
"vendor_name": "Festo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Q. Kaiser, M. Illes from ONEKEY Research Labs for reported to Festo"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint \"cecc-x-web-viewer-request-on\" POST request doesn\u2019t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert.vde.com/en/advisories/VDE-2022-020/",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en/advisories/VDE-2022-020/"
}
]
},
"source": {
"advisory": "VDE-2022-020",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-30308",
"datePublished": "2022-06-13T13:45:20.015Z",
"dateReserved": "2022-05-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:40:02.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}