CVE-2022-2155

A vulnerability exists in the Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role.

Severity Score

7.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature
due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports
feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining
unauthorized access to any Power BI reports installed by the customer.

Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.

Affected versions
* Lumada APM on-premises version 6.0.0.0 - 6.4.0.*

List of CPEs:
* cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*

Existe una vulnerabilidad en las versiones afectadas de la función User Asset Group de Lumada APM debido a un fallo en la implementación del mecanismo de control de acceso en el “Limited Engineer” rol, otorgándole acceso a la característica de informes integrados de Power BI. Un atacante que logre explotar la vulnerabilidad en Lumada APM de un cliente podría acceder a información no autorizada obteniendo acceso no autorizado a cualquier informe de Power BI instalado por el cliente. Además, la vulnerabilidad permite a un atacante manipular comentarios sobre problemas de activos, que no deberían estar disponibles para el atacante. Versiones afectadas:
* Lumada APM versión local 6.0.0.0 - 6.4.0.* Lista de CPE: * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:* :*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:* :*:*:*:*:*:*

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-06-21 CVE Reserved
2023-01-12 CVE Published
2024-08-03 CVE Updated
2024-08-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-863: Incorrect Authorization

CAPEC

CAPEC-122: Privilege Abuse

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hitachienergy Search vendor "Hitachienergy"		Lumada Asset Performance Management Search vendor "Hitachienergy" for product "Lumada Asset Performance Management"				>= 6.0.0.0 < 6.4.0.1 Search vendor "Hitachienergy" for product "Lumada Asset Performance Management" and version " >= 6.0.0.0 < 6.4.0.1"		on-premises		Affected