CVE-2022-3189

Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specially crafted PHP script could use parameters from a HTTP request to create a URL capable of changing the host parameter. The changed host parameter in the HTTP could point to another host that will send a request to the host or IP specified in the changed host parameter.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03	Patch Third Party Advisory US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03	Patch Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu4-n20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu4-n20:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu4sa-n15_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu4sa-n15:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu4a-n15_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu4a-n15:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu4sa-n20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu4sa-n20:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu4a-n20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu4a-n20:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu8sa-n15_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu8sa-n15:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu8a-n15_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu8a-n15:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu8sa-2n15_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu8sa-2n15:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu8a-2n15_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu8a-2n15:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu8sa-n20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu8sa-n20:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu8a-n20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu8a-n20:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:dataprobe:iboot-pdu8a-2n20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dataprobe:iboot-pdu8a-2n20:-:*:*:*:*:*:*:*

History

21 Nov 2024, 07:19

Type	Values Removed	Values Added
Summary		(es) Las versiones de FW de Dataprobe iBoot-PDU anteriores a 1.42.06162022 contienen una vulnerabilidad en la que un script PHP especialmente manipulado podría usar parámetros de una solicitud HTTP para crear una URL capaz de cambiar el parámetro del host. El parámetro de host modificado en HTTP podría apuntar a otro host que enviará una solicitud al host o IP especificado en el parámetro de host modificado.
References	~~() https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03 - Patch, Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03 - Patch, Third Party Advisory, US Government Resource

Information

Published : 2022-12-21 23:15

Updated : 2024-11-21 07:19

NVD link : CVE-2022-3189

Mitre link : CVE-2022-3189

CVE.ORG link : CVE-2022-3189

JSON object : View

Products Affected

dataprobe

iboot-pdu4a-n20_firmware
iboot-pdu8sa-n20
iboot-pdu8a-n15
iboot-pdu8sa-n15
iboot-pdu4a-n15_firmware
iboot-pdu8a-2n15
iboot-pdu4-n20_firmware
iboot-pdu8a-2n15_firmware
iboot-pdu4-n20
iboot-pdu4sa-n20_firmware
iboot-pdu8a-2n20
iboot-pdu8sa-2n15_firmware
iboot-pdu8a-n15_firmware
iboot-pdu4sa-n20
iboot-pdu4sa-n15
iboot-pdu8a-n20_firmware
iboot-pdu8sa-n15_firmware
iboot-pdu8a-n20
iboot-pdu8sa-2n15
iboot-pdu4a-n20
iboot-pdu8a-2n20_firmware
iboot-pdu4sa-n15_firmware
iboot-pdu4a-n15
iboot-pdu8sa-n20_firmware

CWE

CWE-918

Server-Side Request Forgery (SSRF)

5.3 /10