CVE-2022-23129

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.

Una vulnerabilidad de almacenamiento de texto plano de una contraseña en Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores y en ICONICS GENESIS64 versiones 10.90 a 10.97, permite a un atacante local autenticado conseguir información de autenticación y acceder a la base de datos de forma ilegal. Esto es debido a que cuando la información de configuración de GridWorX, una función de enlace de bases de datos de GENESIS64 y MC Works64, es exportada a un archivo CSV, la información de autenticación es guardada en texto plano, y un atacante que pueda acceder a este archivo CSV puede conseguir la información de autenticación

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-11 CVE Reserved
2022-01-21 CVE Published
2023-03-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-312: Cleartext Storage of Sensitive Information

CAPEC

References (3)

URL	Tag	Source
https://jvn.jp/vu/JVNVU95403720/index.html	Mitigation
https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf	2022-01-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Iconics Search vendor "Iconics"		Genesis64 Search vendor "Iconics" for product "Genesis64"				>= 10.90 <= 10.97 Search vendor "Iconics" for product "Genesis64" and version " >= 10.90 <= 10.97"		-		Affected
Mitsubishielectric Search vendor "Mitsubishielectric"		Mc Works64 Search vendor "Mitsubishielectric" for product "Mc Works64"				< 10.95.210.01 Search vendor "Mitsubishielectric" for product "Mc Works64" and version " < 10.95.210.01"		-		Affected