Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-23129 (GCVE-0-2022-23129)
Vulnerability from cvelistv5 – Published: 2022-01-21 18:17 – Updated: 2024-08-03 03:36
VLAI?
EPSS
Summary
Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.
Severity ?
No CVSS data available.
CWE
- Plaintext Storage of a Password
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Mitsubishi Electric MC Works64; ICONICS GENESIS64 |
Affected:
Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior
Affected: ICONICS GENESIS64 versions 10.90 to 10.97 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:19.744Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/vu/JVNVU95403720/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mitsubishi Electric MC Works64; ICONICS GENESIS64",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior"
},
{
"status": "affected",
"version": "ICONICS GENESIS64 versions 10.90 to 10.97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Plaintext Storage of a Password",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-21T18:17:31.000Z",
"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"shortName": "Mitsubishi"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/vu/JVNVU95403720/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"ID": "CVE-2022-23129",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mitsubishi Electric MC Works64; ICONICS GENESIS64",
"version": {
"version_data": [
{
"version_value": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior"
},
{
"version_value": "ICONICS GENESIS64 versions 10.90 to 10.97"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Plaintext Storage of a Password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/vu/JVNVU95403720/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/vu/JVNVU95403720/index.html"
},
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
},
{
"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf",
"refsource": "MISC",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"assignerShortName": "Mitsubishi",
"cveId": "CVE-2022-23129",
"datePublished": "2022-01-21T18:17:31.000Z",
"dateReserved": "2022-01-11T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:36:19.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23129\",\"sourceIdentifier\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\",\"published\":\"2022-01-21T19:15:10.037\",\"lastModified\":\"2024-11-21T06:48:03.540\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de almacenamiento de texto plano de una contrase\u00f1a en Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores y en ICONICS GENESIS64 versiones 10.90 a 10.97, permite a un atacante local autenticado conseguir informaci\u00f3n de autenticaci\u00f3n y acceder a la base de datos de forma ilegal. Esto es debido a que cuando la informaci\u00f3n de configuraci\u00f3n de GridWorX, una funci\u00f3n de enlace de bases de datos de GENESIS64 y MC Works64, es exportada a un archivo CSV, la informaci\u00f3n de autenticaci\u00f3n es guardada en texto plano, y un atacante que pueda acceder a este archivo CSV puede conseguir la informaci\u00f3n de autenticaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-312\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.90\",\"versionEndIncluding\":\"10.97\",\"matchCriteriaId\":\"244286B8-A94E-451A-A79F-895B01BCE0FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.95.210.01\",\"matchCriteriaId\":\"D31E1BFD-8194-4BA1-998B-BC4005454C15\"}]}]}],\"references\":[{\"url\":\"https://jvn.jp/vu/JVNVU95403720/index.html\",\"source\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01\",\"source\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\",\"VDB Entry\"]},{\"url\":\"https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf\",\"source\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://jvn.jp/vu/JVNVU95403720/index.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\",\"VDB Entry\"]},{\"url\":\"https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}"
}
}
ICSA-22-020-01
Vulnerability from csaf_cisa - Published: 2022-01-20 07:00 - Updated: 2026-03-05 07:00Summary
Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric HMI SCADA (Update B)
Notes
Legal Notice and Terms of Use: This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Risk evaluation: Successful exploitation of these vulnerabilities could result in unauthorized access to information or to GENESIS64 and MC Works64 functionality, or the disabling of SQL Server in GENESIS64, ICONICS Suite, MC Works64, or GENESIS32.
Critical infrastructure sectors: Critical Manufacturing
Countries/areas deployed: Worldwide
Company headquarters location: United States (Mitsubishi Electric Iconics Digital Solutions), Japan (Mitsubishi Electric)
Recommended Practices: CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices: CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices: Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Recommended Practices: No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
4.2 (Medium)
Vendor Fix
Mitsubishi Electric Iconics Digital Solutions is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities, the most recent version of which can be found here. https://iconics.com/About/Security/CERT
https://iconics.com/About/Security/CERT
Vendor Fix
Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-025_en.pdf
https://www.mitsubishielectric.com/psirt/vulnerab…
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and remote devices behind firewalls and isolating them from the business network, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.
9.8 (Critical)
Vendor Fix
Mitsubishi Electric Iconics Digital Solutions is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities, the most recent version of which can be found here. https://iconics.com/About/Security/CERT
https://iconics.com/About/Security/CERT
Vendor Fix
Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-026_en.pdf
https://www.mitsubishielectric.com/psirt/vulnerab…
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend switching the communication method of FrameWorX server from WebSocket communication to WCF communication and setting "WebSocketTransport" element to "false" in "FwxServer.Network.config" file located in the installation folder of the products, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and remote devices behind firewalls and isolating them from the business network, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.
7.7 (High)
Vendor Fix
Mitsubishi Electric Iconics Digital Solutions is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities, the most recent version of which can be found here. https://iconics.com/About/Security/CERT
https://iconics.com/About/Security/CERT
Vendor Fix
Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-027_en.pdf
https://www.mitsubishielectric.com/psirt/vulnerab…
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend deleting the authentication information (password) of the SQL database in the CSV file, after exporting the configuration information of GridWorX to the CSV file, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend deleting the authentication information (password) of the SQL database, before exporting the configuration information of GridWorX to the CSV file, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend changing the configuration of the security function so that users other than administrator is not authorized to export the configuration information of GridWorX to a CSV file, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and remote devices behind firewalls and isolating them from the business network, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.
5.9 (Medium)
Vendor Fix
Mitsubishi Electric Iconics Digital Solutions is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities, the most recent version of which can be found here. https://iconics.com/About/Security/CERT
https://iconics.com/About/Security/CERT
Vendor Fix
Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-028_en.pdf
https://www.mitsubishielectric.com/psirt/vulnerab…
No Fix Planned
There are no plans to release a security update for GENESIS32. To minimize the risk of exploitation of this vulnerability, please consider replacing to GENESIS64 or ICONICS Suite.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and remote devices behind firewalls and isolating them from the business network, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.
Mitigation
For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend avoiding clicking on web links in emails etc. from untrusted sources, and avoiding opening files attached to untrusted emails, to minimize the risk of exploiting this vulnerability.
References
Acknowledgments
Mitsubishi Electric Iconics Digital Solutions
Mitsubishi Electric
{
"document": {
"acknowledgments": [
{
"organization": "Mitsubishi Electric Iconics Digital Solutions",
"summary": "reported these vulnerabilities to CISA"
},
{
"organization": "Mitsubishi Electric",
"summary": "reported these vulnerabilities to CISA"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy \u0026 Use policy (https://www.cisa.gov/privacy-policy).",
"title": "Legal Notice and Terms of Use"
},
{
"category": "summary",
"text": "Successful exploitation of these vulnerabilities could result in unauthorized access to information or to GENESIS64 and MC Works64 functionality, or the disabling of SQL Server in GENESIS64, ICONICS Suite, MC Works64, or GENESIS32.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Critical Manufacturing",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "United States (Mitsubishi Electric Iconics Digital Solutions), Japan (Mitsubishi Electric)",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-22-020-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-020-01.json"
},
{
"category": "self",
"summary": "ICSA Advisory ICSA-22-020-01 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-020-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks"
}
],
"title": "Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric HMI SCADA (Update B)",
"tracking": {
"current_release_date": "2026-03-05T07:00:00.000000Z",
"generator": {
"date": "2026-03-05T00:05:34.123002Z",
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-22-020-01",
"initial_release_date": "2022-01-20T07:00:00.000000Z",
"revision_history": [
{
"date": "2022-01-20T07:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "IInitial Publication"
},
{
"date": "2026-01-08T00:00:00.000000Z",
"legacy_version": "Update A",
"number": "2",
"summary": "Update A - Added GENESIS32."
},
{
"date": "2026-03-05T00:00:00.000000Z",
"legacy_version": "Update B",
"number": "3",
"summary": "Update B - Fixes for affected versions and typographical errors"
}
],
"status": "draft",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.96.2",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: \u003c=10.96.2",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "ICONICS Suite"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.95.3 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: \u003e=10.95.3 | \u003c=10.97",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "ICONICS Suite"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.90 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: \u003e=10.90 | \u003c=10.97",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "ICONICS Suite"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: \u003c=10.97",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "ICONICS Suite"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.96.2",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions GENESIS64: \u003c=10.96.2",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "GENESIS64"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.95.3 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions GENESIS64: \u003e=10.95.3 | \u003c=10.97",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "GENESIS64"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.90 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions GENESIS64: \u003e=10.90 | \u003c=10.97",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "GENESIS64"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions GENESIS64: \u003c=10.97",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "GENESIS64"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.96.2",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions Hyper Historian: \u003c=10.96.2",
"product_id": "CSAFPID-0009"
}
}
],
"category": "product_name",
"name": "Hyper Historian"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.95.3 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions Hyper Historian: \u003e=10.95.3 | \u003c=10.97",
"product_id": "CSAFPID-0010"
}
}
],
"category": "product_name",
"name": "Hyper Historian"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.90 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions Hyper Historian: \u003e=10.90 | \u003c=10.97",
"product_id": "CSAFPID-0011"
}
}
],
"category": "product_name",
"name": "Hyper Historian"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions Hyper Historian: \u003c=10.97",
"product_id": "CSAFPID-0012"
}
}
],
"category": "product_name",
"name": "Hyper Historian"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.96.2",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions AnalytiX: \u003c=10.96.2",
"product_id": "CSAFPID-0013"
}
}
],
"category": "product_name",
"name": "AnalytiX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.95.3 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions AnalytiX: \u003e=10.95.3 | \u003c=10.97",
"product_id": "CSAFPID-0014"
}
}
],
"category": "product_name",
"name": "AnalytiX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.90 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions AnalytiX: \u003e=10.90 | \u003c=10.97",
"product_id": "CSAFPID-0015"
}
}
],
"category": "product_name",
"name": "AnalytiX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions AnalytiX: \u003c=10.97",
"product_id": "CSAFPID-0016"
}
}
],
"category": "product_name",
"name": "AnalytiX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.96.2",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions MobileHMI: \u003c=10.96.2",
"product_id": "CSAFPID-0017"
}
}
],
"category": "product_name",
"name": "MobileHMI"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.95.3 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions MobileHMI: \u003e=10.95.3 | \u003c=10.97",
"product_id": "CSAFPID-0018"
}
}
],
"category": "product_name",
"name": "MobileHMI"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.90 | \u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions MobileHMI: \u003e=10.90 | \u003c=10.97",
"product_id": "CSAFPID-0019"
}
}
],
"category": "product_name",
"name": "MobileHMI"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=10.97",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions MobileHMI: \u003c=10.97",
"product_id": "CSAFPID-0020"
}
}
],
"category": "product_name",
"name": "MobileHMI"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=9.7",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions GENESIS32: \u003c=9.7",
"product_id": "CSAFPID-0021"
}
}
],
"category": "product_name",
"name": "GENESIS32"
}
],
"category": "vendor",
"name": "Mitsubishi Electric Iconics Digital Solutions"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "10.97",
"product": {
"name": "Mitsubishi Electric ICONICS Suite: 10.97",
"product_id": "CSAFPID-0022"
}
}
],
"category": "product_name",
"name": "ICONICS Suite"
},
{
"branches": [
{
"category": "product_version",
"name": "10.97",
"product": {
"name": "Mitsubishi Electric GENESIS64: 10.97",
"product_id": "CSAFPID-0023"
}
}
],
"category": "product_name",
"name": "GENESIS64"
},
{
"branches": [
{
"category": "product_version",
"name": "10.97",
"product": {
"name": "Mitsubishi Electric Hyper Historian: 10.97",
"product_id": "CSAFPID-0024"
}
}
],
"category": "product_name",
"name": "Hyper Historian"
},
{
"branches": [
{
"category": "product_version",
"name": "10.97",
"product": {
"name": "Mitsubishi Electric AnalytiX: 10.97",
"product_id": "CSAFPID-0025"
}
}
],
"category": "product_name",
"name": "AnalytiX"
},
{
"branches": [
{
"category": "product_version",
"name": "10.97",
"product": {
"name": "Mitsubishi Electric MobileHMI: 10.97",
"product_id": "CSAFPID-0026"
}
}
],
"category": "product_name",
"name": "MobileHMI"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=9.7",
"product": {
"name": "Mitsubishi Electric GENESIS32: \u003c=9.7",
"product_id": "CSAFPID-0027"
}
}
],
"category": "product_name",
"name": "GENESIS32"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=4.04E",
"product": {
"name": "Mitsubishi Electric MC Works64: \u003c=4.04E",
"product_id": "CSAFPID-0028"
}
}
],
"category": "product_name",
"name": "MC Works64"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=4.00A | \u003c=4.04E",
"product": {
"name": "Mitsubishi Electric MC Works64: \u003e=4.00A | \u003c=4.04E",
"product_id": "CSAFPID-0029"
}
}
],
"category": "product_name",
"name": "MC Works64"
}
],
"category": "vendor",
"name": "Mitsubishi Electric"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23127",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Information disclosure vulnerability due to Improper Neutralization of Input During Web Page Generation (CWE-79) caused by the lack of proper input verification exists in Mitsubishi Electric Iconics Digital Solutions GENESIS64 and ICONICS Suite and Mitsubishi Electric MC Works64.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2026-02-10T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0005",
"CSAFPID-0009",
"CSAFPID-0013",
"CSAFPID-0017",
"CSAFPID-0028"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23127"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Mitsubishi Electric Iconics Digital Solutions is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities, the most recent version of which can be found here. https://iconics.com/About/Security/CERT",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0005",
"CSAFPID-0009",
"CSAFPID-0013",
"CSAFPID-0017"
],
"url": "https://iconics.com/About/Security/CERT"
},
{
"category": "vendor_fix",
"details": " Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-025_en.pdf",
"product_ids": [
"CSAFPID-0028"
],
"url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-025_en.pdf"
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and remote devices behind firewalls and isolating them from the business network, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0005",
"CSAFPID-0009",
"CSAFPID-0013",
"CSAFPID-0017",
"CSAFPID-0028"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0005",
"CSAFPID-0009",
"CSAFPID-0013",
"CSAFPID-0017",
"CSAFPID-0028"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0005",
"CSAFPID-0009",
"CSAFPID-0013",
"CSAFPID-0017",
"CSAFPID-0028"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0005",
"CSAFPID-0009",
"CSAFPID-0013",
"CSAFPID-0017",
"CSAFPID-0028"
]
}
]
},
{
"cve": "CVE-2022-23128",
"cwe": {
"id": "CWE-184",
"name": "Incomplete List of Disallowed Inputs"
},
"notes": [
{
"category": "summary",
"text": " Authentication bypass vulnerability due to Incomplete List of Disallowed Inputs (CWE-184) exists in Mitsubishi Electric Iconics Digital Solutions GENESIS64 and ICONICS Suite Mitsubishi Electric GENESIS64, ICONICS Suite, and MC Works64.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:Y/T:T/2026-02-10T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0002",
"CSAFPID-0006",
"CSAFPID-0010",
"CSAFPID-0014",
"CSAFPID-0018",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0029"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23128"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Mitsubishi Electric Iconics Digital Solutions is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities, the most recent version of which can be found here. https://iconics.com/About/Security/CERT",
"product_ids": [
"CSAFPID-0002",
"CSAFPID-0006",
"CSAFPID-0010",
"CSAFPID-0014",
"CSAFPID-0018"
],
"url": "https://iconics.com/About/Security/CERT"
},
{
"category": "vendor_fix",
"details": "Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-026_en.pdf",
"product_ids": [
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0029"
],
"url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-026_en.pdf"
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend switching the communication method of FrameWorX server from WebSocket communication to WCF communication and setting \"WebSocketTransport\" element to \"false\" in \"FwxServer.Network.config\" file located in the installation folder of the products, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0002",
"CSAFPID-0006",
"CSAFPID-0010",
"CSAFPID-0014",
"CSAFPID-0018",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0029"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and remote devices behind firewalls and isolating them from the business network, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0002",
"CSAFPID-0006",
"CSAFPID-0010",
"CSAFPID-0014",
"CSAFPID-0018",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0029"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0002",
"CSAFPID-0006",
"CSAFPID-0010",
"CSAFPID-0014",
"CSAFPID-0018",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0029"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0002",
"CSAFPID-0006",
"CSAFPID-0010",
"CSAFPID-0014",
"CSAFPID-0018",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0029"
]
}
]
},
{
"cve": "CVE-2022-23129",
"cwe": {
"id": "CWE-256",
"name": "Plaintext Storage of a Password"
},
"notes": [
{
"category": "summary",
"text": "Information disclosure vulnerability due to Plaintext Storage of a Password (CWE-256) exists in Mitsubishi Electric Iconics Digital Solutions GENESIS64 and ICONICS Suite and Mitsubishi Electric GENESIS64, ICONICS Suite, and MC Works64.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:T/2026-02-10T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0003",
"CSAFPID-0007",
"CSAFPID-0011",
"CSAFPID-0015",
"CSAFPID-0019",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0028"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23129"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Mitsubishi Electric Iconics Digital Solutions is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities, the most recent version of which can be found here. https://iconics.com/About/Security/CERT",
"product_ids": [
"CSAFPID-0003",
"CSAFPID-0007",
"CSAFPID-0011",
"CSAFPID-0015",
"CSAFPID-0019"
],
"url": "https://iconics.com/About/Security/CERT"
},
{
"category": "vendor_fix",
"details": "Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-027_en.pdf",
"product_ids": [
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0028"
],
"url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-027_en.pdf"
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend deleting the authentication information (password) of the SQL database in the CSV file, after exporting the configuration information of GridWorX to the CSV file, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0003",
"CSAFPID-0007",
"CSAFPID-0011",
"CSAFPID-0015",
"CSAFPID-0019",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0028"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend deleting the authentication information (password) of the SQL database, before exporting the configuration information of GridWorX to the CSV file, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0003",
"CSAFPID-0007",
"CSAFPID-0011",
"CSAFPID-0015",
"CSAFPID-0019",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0028"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend changing the configuration of the security function so that users other than administrator is not authorized to export the configuration information of GridWorX to a CSV file, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0003",
"CSAFPID-0007",
"CSAFPID-0011",
"CSAFPID-0015",
"CSAFPID-0019",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0028"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and remote devices behind firewalls and isolating them from the business network, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0003",
"CSAFPID-0007",
"CSAFPID-0011",
"CSAFPID-0015",
"CSAFPID-0019",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0028"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0003",
"CSAFPID-0007",
"CSAFPID-0011",
"CSAFPID-0015",
"CSAFPID-0019",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0028"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0003",
"CSAFPID-0007",
"CSAFPID-0011",
"CSAFPID-0015",
"CSAFPID-0019",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0028"
]
}
]
},
{
"cve": "CVE-2022-23130",
"cwe": {
"id": "CWE-126",
"name": "Buffer Over-read"
},
"notes": [
{
"category": "summary",
"text": " Denial-of-Service (DoS) vulnerability due to Buffer Over-read (CWE-126) exists in database server of Mitsubishi Electric Iconics Digital Solutions GENESIS64, ICONICS, and GENESIS32 Suite and Mitsubishi Electric GENESIS64, ICONICS Suite, GENESIS32, and MC Works64.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2026-02-10T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0004",
"CSAFPID-0008",
"CSAFPID-0012",
"CSAFPID-0016",
"CSAFPID-0020",
"CSAFPID-0021",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0027",
"CSAFPID-0029"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23130"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Mitsubishi Electric Iconics Digital Solutions is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities, the most recent version of which can be found here. https://iconics.com/About/Security/CERT",
"product_ids": [
"CSAFPID-0004",
"CSAFPID-0008",
"CSAFPID-0012",
"CSAFPID-0016",
"CSAFPID-0020"
],
"url": "https://iconics.com/About/Security/CERT"
},
{
"category": "vendor_fix",
"details": "Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-028_en.pdf",
"product_ids": [
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0029"
],
"url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-028_en.pdf"
},
{
"category": "no_fix_planned",
"details": "There are no plans to release a security update for GENESIS32. To minimize the risk of exploitation of this vulnerability, please consider replacing to GENESIS64 or ICONICS Suite.",
"product_ids": [
"CSAFPID-0021",
"CSAFPID-0027"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and remote devices behind firewalls and isolating them from the business network, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0004",
"CSAFPID-0008",
"CSAFPID-0012",
"CSAFPID-0016",
"CSAFPID-0020",
"CSAFPID-0021",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0027",
"CSAFPID-0029"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0004",
"CSAFPID-0008",
"CSAFPID-0012",
"CSAFPID-0016",
"CSAFPID-0020",
"CSAFPID-0021",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0027",
"CSAFPID-0029"
]
},
{
"category": "mitigation",
"details": "For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend avoiding clicking on web links in emails etc. from untrusted sources, and avoiding opening files attached to untrusted emails, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0004",
"CSAFPID-0008",
"CSAFPID-0012",
"CSAFPID-0016",
"CSAFPID-0020",
"CSAFPID-0021",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0027",
"CSAFPID-0029"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0004",
"CSAFPID-0008",
"CSAFPID-0012",
"CSAFPID-0016",
"CSAFPID-0020",
"CSAFPID-0021",
"CSAFPID-0022",
"CSAFPID-0023",
"CSAFPID-0024",
"CSAFPID-0025",
"CSAFPID-0026",
"CSAFPID-0027",
"CSAFPID-0029"
]
}
]
}
]
}
BDU:2022-05424
Vulnerability from fstec - Published: 20.01.2022
VLAI Severity ?
Title
Уязвимость программных средств мониторинга и управления рабочим процессом ICONICS Suite, GENESIS64, Hyper Historian, Energy AnalytiX и MobileHMI, связанная с хранением паролей в незашифрованном виде, позволяющая нарушителю раскрыть защищаемую информацию
Description
Уязвимость программных средств мониторинга и управления рабочим процессом ICONICS Suite, GENESIS64, Hyper Historian, Energy AnalytiX и MobileHMI связана с хранением паролей в незашифрованном виде. Эксплуатация уязвимости может позволить нарушителю раскрыть защищаемую информацию
Severity ?
Vendor
ICONICS
Software Name
ICONICS Suite, GENESIS64, Hyper Historian, Energy AnalytiX, MobileHMI
Software Version
от 10.90 до 10.97 (ICONICS Suite), от 10.90 до 10.97 (GENESIS64), от 10.90 до 10.97 (Hyper Historian), от 10.90 до 10.97 (Energy AnalytiX), от 10.90 до 10.97 (MobileHMI)
Possible Mitigations
Использование рекомендаций производителя:
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf
Reference
https://www.cybersecurity-help.cz/vdb/SB2022012107
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf
CWE
CWE-256
{
"CVSS 2.0": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"CVSS 3.0": "AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "ICONICS",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 10.90 \u0434\u043e 10.97 (ICONICS Suite), \u043e\u0442 10.90 \u0434\u043e 10.97 (GENESIS64), \u043e\u0442 10.90 \u0434\u043e 10.97 (Hyper Historian), \u043e\u0442 10.90 \u0434\u043e 10.97 (Energy AnalytiX), \u043e\u0442 10.90 \u0434\u043e 10.97 (MobileHMI)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "20.01.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "31.08.2022",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "31.08.2022",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-05424",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-23129",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "ICONICS Suite, GENESIS64, Hyper Historian, Energy AnalytiX, MobileHMI",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0440\u0430\u0431\u043e\u0447\u0438\u043c \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u043c ICONICS Suite, GENESIS64, Hyper Historian, Energy AnalytiX \u0438 MobileHMI, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u0435\u043c \u043f\u0430\u0440\u043e\u043b\u0435\u0439 \u0432 \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0432\u0438\u0434\u0435, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0425\u0440\u0430\u043d\u0435\u043d\u0438\u0435 \u043f\u0430\u0440\u043e\u043b\u044f \u0432 \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0432\u0438\u0434\u0435 (CWE-256)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0440\u0430\u0431\u043e\u0447\u0438\u043c \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u043c ICONICS Suite, GENESIS64, Hyper Historian, Energy AnalytiX \u0438 MobileHMI \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u0435\u043c \u043f\u0430\u0440\u043e\u043b\u0435\u0439 \u0432 \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0432\u0438\u0434\u0435. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0417\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.cybersecurity-help.cz/vdb/SB2022012107\nhttps://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-256",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,7)"
}
VAR-202201-0606
Vulnerability from variot - Updated: 2023-03-11 22:22Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information. Mitsubishi Electric MC Works64 and ICONICS GENESIS64 There is a vulnerability in plaintext storage of important information.Information may be obtained
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0606",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "genesis64",
"scope": "lte",
"trust": 1.0,
"vendor": "iconics",
"version": "10.97"
},
{
"model": "mc works64",
"scope": "lt",
"trust": 1.0,
"vendor": "mitsubishielectric",
"version": "10.95.210.01"
},
{
"model": "genesis64",
"scope": "gte",
"trust": 1.0,
"vendor": "iconics",
"version": "10.90"
},
{
"model": "genesis 64",
"scope": null,
"trust": 0.8,
"vendor": "iconics",
"version": null
},
{
"model": "mc works64",
"scope": "lte",
"trust": 0.8,
"vendor": "\u4e09\u83f1\u96fb\u6a5f",
"version": "4.04e (10.95.210.01) and earlier"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003879"
},
{
"db": "NVD",
"id": "CVE-2022-23129"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.97",
"versionStartIncluding": "10.90",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "10.95.210.01",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-23129"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ICONICS and Mitsubishi Electric reported these vulnerabilities to CISA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-1795"
}
],
"trust": 0.6
},
"cve": "CVE-2022-23129",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2022-23129",
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.8,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2022-23129",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-23129",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-23129",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-1795",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003879"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-1795"
},
{
"db": "NVD",
"id": "CVE-2022-23129"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information. Mitsubishi Electric MC Works64 and ICONICS GENESIS64 There is a vulnerability in plaintext storage of important information.Information may be obtained",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-23129"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003879"
}
],
"trust": 1.62
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-23129",
"trust": 3.2
},
{
"db": "JVN",
"id": "JVNVU95403720",
"trust": 2.4
},
{
"db": "ICS CERT",
"id": "ICSA-22-020-01",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003879",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2022.0311",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012109",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-1795",
"trust": 0.6
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003879"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-1795"
},
{
"db": "NVD",
"id": "CVE-2022-23129"
}
]
},
"id": "VAR-202201-0606",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.42615384
},
"last_update_date": "2023-03-11T22:22:54.544000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page Mitsubishi Electric Mitsubishi\u00a0Electric\u00a0Corporation",
"trust": 0.8,
"url": "https://iconics.com/"
},
{
"title": "Mitsubishi Electric MC Works64 Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=179834"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003879"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-1795"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-312",
"trust": 1.0
},
{
"problemtype": "Plaintext storage of important information (CWE-312) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003879"
},
{
"db": "NVD",
"id": "CVE-2022-23129"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
},
{
"trust": 1.6,
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
},
{
"trust": 1.6,
"url": "https://jvn.jp/vu/jvnvu95403720/index.html"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23129"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu95403720/"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-020-01"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0311"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/iconics-genesis64-four-vulnerabilities-37339"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012109"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003879"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-1795"
},
{
"db": "NVD",
"id": "CVE-2022-23129"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003879"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-1795"
},
{
"db": "NVD",
"id": "CVE-2022-23129"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-03-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-003879"
},
{
"date": "2022-01-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-1795"
},
{
"date": "2022-01-21T19:15:00",
"db": "NVD",
"id": "CVE-2022-23129"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-03-10T03:13:00",
"db": "JVNDB",
"id": "JVNDB-2022-003879"
},
{
"date": "2022-02-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-1795"
},
{
"date": "2022-01-27T20:09:00",
"db": "NVD",
"id": "CVE-2022-23129"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-1795"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mitsubishi\u00a0Electric\u00a0MC\u00a0Works64\u00a0 and \u00a0ICONICS\u00a0GENESIS64\u00a0 Vulnerability in plaintext storage of important information in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003879"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-1795"
}
],
"trust": 0.6
}
}
FKIE_CVE-2022-23129
Vulnerability from fkie_nvd - Published: 2022-01-21 19:15 - Updated: 2024-11-21 06:48
Severity ?
Summary
Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.
References
| URL | Tags | ||
|---|---|---|---|
| Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp | https://jvn.jp/vu/JVNVU95403720/index.html | Mitigation, Third Party Advisory, VDB Entry | |
| Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp | https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01 | Mitigation, Third Party Advisory, US Government Resource, VDB Entry | |
| Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp | https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/vu/JVNVU95403720/index.html | Mitigation, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01 | Mitigation, Third Party Advisory, US Government Resource, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| iconics | genesis64 | * | |
| mitsubishielectric | mc_works64 | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*",
"matchCriteriaId": "244286B8-A94E-451A-A79F-895B01BCE0FB",
"versionEndIncluding": "10.97",
"versionStartIncluding": "10.90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D31E1BFD-8194-4BA1-998B-BC4005454C15",
"versionEndExcluding": "10.95.210.01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information."
},
{
"lang": "es",
"value": "Una vulnerabilidad de almacenamiento de texto plano de una contrase\u00f1a en Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores y en ICONICS GENESIS64 versiones 10.90 a 10.97, permite a un atacante local autenticado conseguir informaci\u00f3n de autenticaci\u00f3n y acceder a la base de datos de forma ilegal. Esto es debido a que cuando la informaci\u00f3n de configuraci\u00f3n de GridWorX, una funci\u00f3n de enlace de bases de datos de GENESIS64 y MC Works64, es exportada a un archivo CSV, la informaci\u00f3n de autenticaci\u00f3n es guardada en texto plano, y un atacante que pueda acceder a este archivo CSV puede conseguir la informaci\u00f3n de autenticaci\u00f3n"
}
],
"id": "CVE-2022-23129",
"lastModified": "2024-11-21T06:48:03.540",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-21T19:15:10.037",
"references": [
{
"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"tags": [
"Mitigation",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://jvn.jp/vu/JVNVU95403720/index.html"
},
{
"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"tags": [
"Mitigation",
"Third Party Advisory",
"US Government Resource",
"VDB Entry"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
},
{
"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://jvn.jp/vu/JVNVU95403720/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory",
"US Government Resource",
"VDB Entry"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
}
],
"sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GSD-2022-23129
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-23129",
"description": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.",
"id": "GSD-2022-23129"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-23129"
],
"details": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.",
"id": "GSD-2022-23129",
"modified": "2023-12-13T01:19:35.482333Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"ID": "CVE-2022-23129",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mitsubishi Electric MC Works64; ICONICS GENESIS64",
"version": {
"version_data": [
{
"version_value": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior"
},
{
"version_value": "ICONICS GENESIS64 versions 10.90 to 10.97"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Plaintext Storage of a Password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/vu/JVNVU95403720/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/vu/JVNVU95403720/index.html"
},
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
},
{
"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf",
"refsource": "MISC",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.97",
"versionStartIncluding": "10.90",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "10.95.210.01",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"ID": "CVE-2022-23129"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01",
"refsource": "MISC",
"tags": [
"Mitigation",
"Third Party Advisory",
"US Government Resource",
"VDB Entry"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
},
{
"name": "https://jvn.jp/vu/JVNVU95403720/index.html",
"refsource": "MISC",
"tags": [
"Mitigation",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://jvn.jp/vu/JVNVU95403720/index.html"
},
{
"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf",
"refsource": "MISC",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-01-27T20:09Z",
"publishedDate": "2022-01-21T19:15Z"
}
}
}
GHSA-V8QM-C69G-X57Q
Vulnerability from github – Published: 2022-01-22 00:00 – Updated: 2022-01-28 00:03
VLAI?
Details
Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.
{
"affected": [],
"aliases": [
"CVE-2022-23129"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-21T19:15:00Z",
"severity": "MODERATE"
},
"details": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.",
"id": "GHSA-v8qm-c69g-x57q",
"modified": "2022-01-28T00:03:11Z",
"published": "2022-01-22T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23129"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU95403720/index.html"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…