MZ Automation libiec61850 hasta 1.4 MMS File Services mms_client_files.c filename directory traversal

ArtículoHistoryDiffjsonxmlCTI

Una vulnerabilidad clasificada como crítica ha sido encontrada en MZ Automation libiec61850 hasta 1.4. Una función desconocida del archivo src/mms/iso_mms/client/mms_client_files.c del componente MMS File Services es afectada por esta vulnerabilidad. Mediante la manipulación del parámetro filename de un input desconocido se causa una vulnerabilidad de clase directory traversal. El advisory puede ser descargado de github.com. La vulnerabilidad es identificada como CVE-2022-3976. El ataque puede ser iniciado desde la red local. Los detalles técnicos son conocidos. Fue declarado como no está definido. Una actualización a la versión 1.5 elimina esta vulnerabilidad. La actualización se puede descargar de github.com. El parche puede ser descargado de github.com. El mejor modo sugerido para mitigar el problema es actualizar a la última versión. Una solución posible ha sido publicada incluso antes y no después de la publicación de la vulnerabilidad.

Campo	2022-11-13 15:10	2022-12-17 15:18	2022-12-17 15:24
vendor	MZ Automation	MZ Automation	MZ Automation
name	libiec61850	libiec61850	libiec61850
version	<=1.4	<=1.4	<=1.4
component	MMS File Services	MMS File Services	MMS File Services
file	src/mms/iso_mms/client/mms_client_files.c	src/mms/iso_mms/client/mms_client_files.c	src/mms/iso_mms/client/mms_client_files.c
argument	filename	filename	filename
cwe	22 (directory traversal)	22 (directory traversal)	22 (directory traversal)
risk	2	2	2
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
identifier	10622ba36bb3910c151348f1569f039ecdd8786f	10622ba36bb3910c151348f1569f039ecdd8786f	10622ba36bb3910c151348f1569f039ecdd8786f
url	https://github.com/mz-automation/libiec61850/commit/10622ba36bb3910c151348f1569f039ecdd8786f	https://github.com/mz-automation/libiec61850/commit/10622ba36bb3910c151348f1569f039ecdd8786f	https://github.com/mz-automation/libiec61850/commit/10622ba36bb3910c151348f1569f039ecdd8786f
name	Upgrade	Upgrade	Upgrade
upgrade_version	1.5	1.5	1.5
upgrade_url	https://github.com/mz-automation/libiec61850	https://github.com/mz-automation/libiec61850	https://github.com/mz-automation/libiec61850
patch_name	10622ba36bb3910c151348f1569f039ecdd8786f	10622ba36bb3910c151348f1569f039ecdd8786f	10622ba36bb3910c151348f1569f039ecdd8786f
patch_url	https://github.com/mz-automation/libiec61850/commit/10622ba36bb3910c151348f1569f039ecdd8786f	https://github.com/mz-automation/libiec61850/commit/10622ba36bb3910c151348f1569f039ecdd8786f	https://github.com/mz-automation/libiec61850/commit/10622ba36bb3910c151348f1569f039ecdd8786f
cve	CVE-2022-3976	CVE-2022-3976	CVE-2022-3976
responsible	VulDB	VulDB	VulDB
date	1668294000 (2022-11-13)	1668294000 (2022-11-13)	1668294000 (2022-11-13)
type	Automation Software	Automation Software	Automation Software
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_av	A	A	A
cvss2_vuldb_au	S	S	S
cvss2_vuldb_e	ND	ND	ND
cvss3_vuldb_av	A	A	A
cvss3_vuldb_pr	L	L	L
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_e	X	X	X
cvss2_vuldb_basescore	5.2	5.2	5.2
cvss2_vuldb_tempscore	4.5	4.5	4.5
cvss3_vuldb_basescore	5.5	5.5	5.5
cvss3_vuldb_tempscore	5.3	5.3	5.3
cvss3_meta_basescore	5.5	5.5	6.6
cvss3_meta_tempscore	5.3	5.3	6.5
price_0day	$0-$5k	$0-$5k	$0-$5k
cve_assigned		1668294000 (2022-11-13)	1668294000 (2022-11-13)
cve_nvd_summary		A vulnerability has been found in MZ Automation libiec61850 up to 1.4 and classified as critical. This vulnerability affects unknown code of the file src/mms/iso_mms/client/mms_client_files.c of the component MMS File Services. The manipulation of the argument filename leads to path traversal. Upgrading to version 1.5 is able to address this issue. The name of the patch is 10622ba36bb3910c151348f1569f039ecdd8786f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-213556.	A vulnerability has been found in MZ Automation libiec61850 up to 1.4 and classified as critical. This vulnerability affects unknown code of the file src/mms/iso_mms/client/mms_client_files.c of the component MMS File Services. The manipulation of the argument filename leads to path traversal. Upgrading to version 1.5 is able to address this issue. The name of the patch is 10622ba36bb3910c151348f1569f039ecdd8786f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-213556.
cvss3_nvd_av			A
cvss3_nvd_ac			L
cvss3_nvd_pr			N
cvss3_nvd_ui			N
cvss3_nvd_s			U
cvss3_nvd_c			H
cvss3_nvd_i			H
cvss3_nvd_a			H
cvss3_cna_av			A
cvss3_cna_ac			L
cvss3_cna_pr			L
cvss3_cna_ui			N
cvss3_cna_s			U
cvss3_cna_c			L
cvss3_cna_i			L
cvss3_cna_a			L
cve_cna			VulDB
cvss3_nvd_basescore			8.8
cvss3_cna_basescore			5.5

◂ Anterior Visión De Conjunto Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!