CVE-2022-23450Deserialization of Untrusted Data in Siemens Simatic Energy Manager Basic

CWE-502Deserialization of Untrusted Data6 documents4 sources
Severity
9.8CRITICALNVD
EPSS
33.3%
top 3.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Siemens Simatic Energy Manager BasicSiemens Simatic Energy Manager PRO
Timeline
PublishedApr 12
Latest updateOct 15

Description

A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the devic

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

CVEListV5siemens/simatic_energy_manager_basicAll versions < V7.3 Update 1
CVEListV5siemens/simatic_energy_manager_proAll versions < V7.3 Update 1

Patches

Patch: cert-portal.siemens.comPatch: cert-portal.siemens.com

🔴Vulnerability Details

2
GHSA
GHSA-xrj9-8xhq-9gjh: A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V72022-04-13
CVEList
CVE-2022-23450: A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V72022-04-12

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Applications Risk Matrix: Framework (dojo) — CVE-2021-234502022-10-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Sample apps (Dojo) — CVE-2021-234502022-07-15
Oracle
Oracle Oracle Communications Risk Matrix: CMP (dojo) — CVE-2021-234502022-04-15
CVE-2022-23450 — Deserialization of Untrusted Data | cvebase