CVE-2022-22518 — Incorrect Default Permissions in Control FOR Beaglebone SL

CWE-276 — Incorrect Default Permissions CWE-286 — Incorrect User Management3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 63.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Codesys Control FOR Beaglebone SL Codesys Control FOR Beckhoff Cx9020 SL Codesys Control FOR Empc-a Imx6 SL +17 more

Timeline

PublishedApr 7

Latest updateApr 8

Description

A bug in CmpUserMgr component can lead to only partially applied security policies. This can result in enabled, anonymous access to components part of the applied security policy.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages12 packages

▶NVDcodesys/control4.4.0.0 — 4.5.0.0

▶CVEListV5codesys/codesys_control_for_linux_slV4.5.0.0 — V4.5.0.0

▶CVEListV5codesys/codesys_control_for_pfc100_slV4.5.0.0 — V4.5.0.0

▶CVEListV5codesys/codesys_control_for_pfc200_slV4.5.0.0 — V4.5.0.0

▶CVEListV5codesys/codesys_control_for_iot2000_slV4.5.0.0 — V4.5.0.0

🔴Vulnerability Details

GHSA

GHSA-m3jp-v66f-7qcp: A bug in CmpUserMgr component can lead to only partially applied security policies↗2022-04-08

▶

CVEList

A bug in the CODESYS V3 CmpUserMgr component fails to correctly apply a security policy.↗2022-04-07

▶