CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
28.2%
A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature
due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports
feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining
unauthorized access to any Power BI reports installed by the customer.
Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.
Affected versions
List of CPEs:
[
{
"defaultStatus": "unaffected",
"product": "Lumada APM",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "6.0.0.*"
},
{
"status": "affected",
"version": "6.1.0.*"
},
{
"status": "affected",
"version": "6.2.0.*"
},
{
"status": "affected",
"version": "6.3.0.*"
},
{
"status": "affected",
"version": "6.4.0.0"
},
{
"status": "unaffected",
"version": "6.4.0.1"
},
{
"status": "unaffected",
"version": "6.5.0.0"
}
]
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
28.2%