CVE-2022-41688
published 2022-10-31CVE-2022-41688: Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.64%
46.1th percentile
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to the administrator group.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| delta_electronics | infrasuite_device_master | <= 00.00.01a | — |
| deltaww | infrasuite_device_master | < 00.00.02a | 00.00.02a |
| offis | dcmtk | >= 0 < 3.6.4-2.1ubuntu0.1 | 3.6.4-2.1ubuntu0.1 |
| offis | dcmtk | >= 0 < 3.6.1~20150924-5ubuntu0.1~esm2 | 3.6.1~20150924-5ubuntu0.1~esm2 |
| offis | dcmtk | >= 0 < 3.6.2-3ubuntu0.1~esm2 | 3.6.2-3ubuntu0.1~esm2 |
| offis | dcmtk | >= 0 < 3.6.6-5ubuntu0.1~esm2 | 3.6.6-5ubuntu0.1~esm2 |
| offis | dcmtk | >= 0 < 3.6.7-9.1ubuntu0.1~esm1 | 3.6.7-9.1ubuntu0.1~esm1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
dcmtk vulnerabilities
osv·2024-09-17·CVSS 7.5
CVE-2021-41687 dcmtk vulnerabilities
dcmtk vulnerabilities
Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If
a user or an automated system were tricked into opening a certain specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 20.04 LTS.
(CVE-2021-41687, CVE-2021-41688, CVE-2021-41689, CVE-2021-41690)
Sharon Brizinov and Noam Moshe discovered that DCMTK incorrectly handled
pointers. If a user or an automated system were tricked into opening a
certain specially crafted input file, a remote attacker could possibly use
this issue to cause a denial of service. This issue only affected
Ubuntu 20.04 LTS. (CVE-2022-2121)
It was discovered that DCMTK incorrectly handled certain inputs. If a
user or an automated system w
GHSA
GHSA-mvhp-p3f4-phmx: Delta Electronics InfraSuite Device Master versions 00
ghsa_unreviewed·2022-11-01
CVE-2022-41688 [HIGH] CWE-306 GHSA-mvhp-p3f4-phmx: Delta Electronics InfraSuite Device Master versions 00
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to the administrator group.
CISA ICS
Delta Electronics InfraSuite Device Master (Update A)
cisa_ics·2022-10-25·CVSS 9.8
[CRITICAL] Delta Electronics InfraSuite Device Master (Update A)
ICS Advisory
##
Delta Electronics InfraSuite Device Master (Update A)
Last RevisedJanuary 18, 2023
Alert CodeICSA-22-298-07
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Delta Electronics
- Equipment: InfraSuite Device Master
- Vulnerabilities: Deserialization of Untrusted Data, Path Traversal, Missing Authentication for Critical Function
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22-298-07 Delta Electronics InfraSuite Device Master that was published October 25, 2022, on the ICS webpage on cisa.gov/ICS.
## 3. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to remotely execut
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-10-31
Published