CVE-2022-4779 - Vulnerability Details - OpenCVE

StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme. StreamX applications using StreamView HTML component with the public web server feature activated are affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elvexys	Streamx

Configuration 1 [-]

cpe:2.3:a:elvexys:streamx:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/

History

No history.

MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2022-12-28T14:20:49.370Z

Updated: 2024-08-03T01:48:40.434Z

Reserved: 2022-12-28T09:16:59.208Z

Link: CVE-2022-4779

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-29T00:15:09.497

Modified: 2024-11-21T07:35:55.607

Link: CVE-2022-4779

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-4779", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2022-12-28T09:16:59.208Z", "datePublished": "2022-12-28T14:20:49.370Z", "dateUpdated": "2024-08-03T01:48:40.434Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "StreamX", "vendor": "elvexys", "versions": [{"lessThanOrEqual": "6.04.34", "status": "affected", "version": "6.02.01", "versionType": "patch"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Damian Pfammatter, Cyber-Defense Campus, armasuisse S+T"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Hulliger, Cyber-Defense Campus, armasuisse S+T"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "StreamX applications from <b>versions 6.02.01 to 6.04.34</b> are affected by a <b>logic bug</b> that allows to bypass the implemented authentication scheme.<br>StreamX applications using StreamView HTML component with the public web server feature activated are affected. "}], "value": "StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme.\nStreamX applications using StreamView HTML component with the public web server feature activated are affected. "}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2022-12-28T23:29:52.525165Z"}, "references": [{"tags": ["release-notes"], "url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade StreamX to version 6.04.35 or above.<br>"}], "value": "Upgrade StreamX to version 6.04.35 or above.\n"}], "source": {"discovery": "EXTERNAL"}, "title": "authentication bypass in elvexys StreamX using StreamView HTML component with public web server feature", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:48:40.434Z"}, "title": "CVE Program Container", "references": [{"tags": ["release-notes", "x_transferred"], "url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elvexys:streamx:*:*:*:*:*:*:*:*", "matchCriteriaId": "12FCA161-3969-45C5-B91F-7A295A1A86E4", "versionEndIncluding": "6.04.34", "versionStartIncluding": "6.02.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme.\nStreamX applications using StreamView HTML component with the public web server feature activated are affected. "}, {"lang": "es", "value": "Las aplicaciones StreamX desde las versiones 6.02.01 a 6.04.34 se ven afectadas por un error l\u00f3gico que permite eludir el esquema de autenticaci\u00f3n implementado. Las aplicaciones StreamX que utilizan el componente HTML StreamView con la funci\u00f3n de servidor web p\u00fablico activada se ven afectadas."}], "id": "CVE-2022-4779", "lastModified": "2024-11-21T07:35:55.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "vulnerability@ncsc.ch", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-29T00:15:09.497", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/streamx-release-notes/"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}