Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistHitachi EnergyCVELIST:CVE-2022-2155
HistoryJan 12, 2023 - 2:01 p.m.

CVE-2022-2155 A vulnerability exists in the Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role.

2023-01-1214:01:51
CWE-863
Hitachi Energy
www.cve.org
2
lumada apm
user asset group
access control
limited engineer role
power bi reports
unauthorized access
vulnerability
asset issue comments
hitachi energy

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

28.2%

JSON

A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature
due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports
feature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining
unauthorized access to any Power BI reports installed by the customer.

Furthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.

Affected versions

  • Lumada APM on-premises version 6.0.0.0 - 6.4.0.*

List of CPEs:

  • cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:::::::*
  • cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:::::::*
  • cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:::::::*
  • cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:::::::*
  • cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Lumada APM",
    "vendor": "Hitachi Energy",
    "versions": [
      {
        "status": "affected",
        "version": "6.0.0.*"
      },
      {
        "status": "affected",
        "version": "6.1.0.*"
      },
      {
        "status": "affected",
        "version": "6.2.0.*"
      },
      {
        "status": "affected",
        "version": "6.3.0.*"
      },
      {
        "status": "affected",
        "version": "6.4.0.0"
      },
      {
        "status": "unaffected",
        "version": "6.4.0.1"
      },
      {
        "status": "unaffected",
        "version": "6.5.0.0"
      }
    ]
  }
]

Related

nvd 1
ics 1
prion 1
cve 1
nvd
nvd
CVE-2022-2155
2023-01-12 15:15:09
ics
ics
Hitachi Energy Lumada APM
2023-01-12 12:00:00
prion
prion
Design/Logic Flaw
2023-01-12 15:15:00
cve
cve
CVE-2022-2155
2023-01-12 15:15:09

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

28.2%

JSON
Related for CVELIST:CVE-2022-2155
nvd1ics1prion1cve1