|
[Japanese]
|
JVNDB-2022-001384
|
Multiple vulnerabilities in OMRON CX-Programmer
|
|
CX-Programmer provided by OMRON Corporation contains multiple vulnerabilities listed below.
* Out-of-bounds Write (CWE-787) - CVE-2022-21124
* Use After Free (CWE-416) - CVE-2022-25230
* Use After Free (CWE-416) - CVE-2022-25325
* Out-of-bounds Read (CWE-125) - CVE-2022-21219
* Out-of-bounds Write (CWE-787) - CVE-2022-25234
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
|
|
CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [NVD Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-21124
|
CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-25230
|
CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-25325
|
CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-21219
|
CVSS V3 Severity:
Base Metrics:7.8 (High) [Other]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2022-25234
|
|
|
OMRON Corporation
- CX-One v9.76.1 and earlier which is a part of CX-One (v4.60) suite
|
|
|
By having a user to open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.
|
|
[Update the Software]
Update for CX-One suite is applied by its Auto Update function, therefore it is not necessary for the users to take any actions.
The developer recommends the users to contact the developer and/or the sales representatives if there are any issues with Auto Update.
The version that contains the fix for this vulnerability is as follows.
* CX-Programmer Ver.9.77
For more information, refer to the information provided by the developer.
|
|
OMRON Corporation
|
|
- Out-of-bounds Read(CWE-125) [Other]
- Use After Free(CWE-416) [Other]
- Out-of-bounds Write(CWE-787) [Other]
|
|
- CVE-2022-21124
- CVE-2022-25230
- CVE-2022-25325
- CVE-2022-21219
- CVE-2022-25234
|
|
- JVN : JVNVU#90121984
- National Vulnerability Database (NVD) : CVE-2022-21124
- National Vulnerability Database (NVD) : CVE-2022-21219
- National Vulnerability Database (NVD) : CVE-2022-25230
- National Vulnerability Database (NVD) : CVE-2022-25234
- National Vulnerability Database (NVD) : CVE-2022-25325
|
|
- [2022/03/08]
Web page was published
- [2024/06/20]
CVSS Severity was modified
References : Contents were added
|
