CVE-2022-44731 — Argument Injection in Siemens Simatic Wincc OA V3.15

CWE-88 — Argument Injection5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 58.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Simatic Wincc OA V3.15 Siemens Simatic Wincc OA V3.16 Siemens Simatic Wincc OA V3.17 +2 more

Timeline

PublishedDec 13

Description

A vulnerability has been identified in SIMATIC WinCC OA V3.15 (All versions < V3.15 P038), SIMATIC WinCC OA V3.16 (All versions < V3.16 P035), SIMATIC WinCC OA V3.17 (All versions < V3.17 P024), SIMATIC WinCC OA V3.18 (All versions < V3.18 P014). The affected component allows to inject custom arguments to the Ultralight Client backend application under certain circumstances. This could allow an authenticated remote attacker to inject arbitrary parameters when starting the client via the web int…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages5 packages

▶NVDsiemens/simatic_wincc_oa4 versions+3

▶CVEListV5siemens/simatic_wincc_oa_v3.15All versions < V3.15 P038

▶CVEListV5siemens/simatic_wincc_oa_v3.16All versions < V3.16 P035

▶CVEListV5siemens/simatic_wincc_oa_v3.17All versions < V3.17 P024

▶CVEListV5siemens/simatic_wincc_oa_v3.18All versions < V3.18 P014

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-6qqj-p988-f82q: A vulnerability has been identified in SIMATIC WinCC OA V3↗2022-12-13

▶

CVEList

CVE-2022-44731: A vulnerability has been identified in SIMATIC WinCC OA V3↗2022-12-13

▶