CVE-2022-2155

{"id": "CVE-2022-2155", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2023-01-12T15:15:09.797", "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch", "tags": ["Mitigation", "Vendor Advisory"], "source": "cybersecurity@hitachienergy.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "\nA vulnerability exists in the affected versions of Lumada APM\u2019s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the \u201cLimited Engineer\u201d role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer\u2019s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer.\u00a0\n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n * Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs:\u00a0\n * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"}], "lastModified": "2023-11-07T03:46:15.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hitachienergy:lumada_asset_performance_management:*:*:*:*:on-premises:*:*:*", "vulnerable": true, "matchCriteriaId": "C7CCDA82-BE91-49C2-93DD-B21F2653BDDB", "versionEndExcluding": "6.4.0.1", "versionStartIncluding": "6.0.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cybersecurity@hitachienergy.com"}