CVE-2022-31805

In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.

CVSS v3 7.5 HIGH
CVSS v2.0 4.3 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17140&token=6aa2c5c4a8b83b8b09936fefed5b0b11f9d2cc6c&download=	Vendor Advisory
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17140&token=6aa2c5c4a8b83b8b09936fefed5b0b11f9d2cc6c&download=	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:codesys:development_system::::::::
	cpe:2.3:a:codesys:edge_gateway::::::windows::*
	cpe:2.3:a:codesys:gateway::::::::
	cpe:2.3:a:codesys:hmi_sl::::::::
	cpe:2.3:a:codesys:opc_server::::::::
	cpe:2.3:a:codesys:plchandler::::::::
	cpe:2.3:a:codesys:plcwinnt::::::::
	cpe:2.3:a:codesys:runtime_toolkit:::::::x86:*
	cpe:2.3:a:codesys:sp_realtime_nt::::::::
	cpe:2.3:a:codesys:web_server::::::::

History

21 Nov 2024, 07:05

Type	Values Removed	Values Added
References	~~() https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17140&token=6aa2c5c4a8b83b8b09936fefed5b0b11f9d2cc6c&download= - Vendor Advisory~~	() https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17140&token=6aa2c5c4a8b83b8b09936fefed5b0b11f9d2cc6c&download= - Vendor Advisory

16 Sep 2024, 19:16

Type	Values Removed	Values Added
Summary	~~(en) In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.~~	(en) In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.

Information

Published : 2022-06-24 08:15

Updated : 2024-11-21 07:05

NVD link : CVE-2022-31805

Mitre link : CVE-2022-31805

CVE.ORG link : CVE-2022-31805

JSON object : View

Products Affected

codesys

web_server
hmi_sl
plchandler
edge_gateway
runtime_toolkit
gateway
opc_server
plcwinnt
sp_realtime_nt
development_system

CWE

CWE-523

Unprotected Transport of Credentials

{"id": "CVE-2022-31805", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "info@cert.vde.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-06-24T08:15:07.590", "references": [{"url": "https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17140&token=6aa2c5c4a8b83b8b09936fefed5b0b11f9d2cc6c&download=", "tags": ["Vendor Advisory"], "source": "info@cert.vde.com"}, {"url": "https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17140&token=6aa2c5c4a8b83b8b09936fefed5b0b11f9d2cc6c&download=", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "info@cert.vde.com", "description": [{"lang": "en", "value": "CWE-523"}]}], "descriptions": [{"lang": "en", "value": "In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected."}, {"lang": "es", "value": "En CODESYS Development System, varios componentes en diversos versiones transmiten las contrase\u00f1as para la comunicaci\u00f3n entre clientes y servidores sin protecci\u00f3n"}], "lastModified": "2024-11-21T07:05:22.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:codesys:development_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85D06342-38A2-4E95-BE56-08D54271E41F", "versionEndExcluding": "2.3.9.69"}, {"criteria": "cpe:2.3:a:codesys:edge_gateway:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "EC5C6832-F0B3-46DF-8047-22A2544D937C", "versionEndExcluding": "3.5.18.30"}, {"criteria": "cpe:2.3:a:codesys:gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B9AE405-A0E5-48FF-9E8C-1A323D296445", "versionEndExcluding": "2.3.9.38"}, {"criteria": "cpe:2.3:a:codesys:hmi_sl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F23A1B9F-97EE-4E4C-AAB9-511B4A3ED98C", "versionEndExcluding": "3.5.18.30"}, {"criteria": "cpe:2.3:a:codesys:opc_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46CDFB44-9702-4978-B577-9D07DF3D04B0", "versionEndExcluding": "3.5.18.30"}, {"criteria": "cpe:2.3:a:codesys:plchandler:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4932F620-43F8-4F3F-80AE-CD603BF05962", "versionEndExcluding": "3.5.18.30"}, {"criteria": "cpe:2.3:a:codesys:plcwinnt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6887DEB0-5C13-4D7B-86E6-504D8CBB2A0D", "versionEndExcluding": "2.4.7.57"}, {"criteria": "cpe:2.3:a:codesys:runtime_toolkit:*:*:*:*:*:*:x86:*", "vulnerable": true, "matchCriteriaId": "5A605019-68F5-4C21-96BD-C300DECAA3D8", "versionEndExcluding": "2.4.7.57"}, {"criteria": "cpe:2.3:a:codesys:sp_realtime_nt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14F1D049-7DF2-453A-9D5A-7FCBCAD465E3", "versionEndExcluding": "2.3.7.30"}, {"criteria": "cpe:2.3:a:codesys:web_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "971AF379-F2B6-4791-B153-718517CA3E62", "versionEndExcluding": "1.1.9.23"}], "operator": "OR"}]}], "sourceIdentifier": "info@cert.vde.com"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2022-31805

7.5^/10

4.3^/10

Attach tags to `CVE-2022-31805`