var-202208-2220
Vulnerability from variot
Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. CAREL INDUSTRIES S.p.a. of pCOWeb card firmware, applica , pcoweb hvac bacnet gateway Exists in a past traversal vulnerability.Information may be obtained. pCO sistema is the solution CAREL offers its customers for managing HVAC/Rapplications and systems. It consists of programmable controllers, user interfaces,gateways and communication interfaces, remote management systems to offer the OEMsworking in HVAC/R a control system that is powerful yet flexible, can be easily interfacedto the more widely-used Building Management Systems, and can also be integrated intoproprietary supervisory systems.The device suffers from an unauthenticated arbitrary file disclosure vulnerability.Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash scriptis not properly verified before being used to download log files
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202208-2220",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "applica",
"scope": "eq",
"trust": 1.0,
"vendor": "carel",
"version": "2.154a"
},
{
"model": "pcoweb card",
"scope": "gte",
"trust": 1.0,
"vendor": "carel",
"version": "a2.1.0"
},
{
"model": "pcoweb hvac bacnet gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "carel",
"version": "2.1.0"
},
{
"model": "applica",
"scope": "eq",
"trust": 1.0,
"vendor": "carel",
"version": "16_13020200"
},
{
"model": "pcoweb card",
"scope": "lte",
"trust": 1.0,
"vendor": "carel",
"version": "b.2.1.0"
},
{
"model": "applica",
"scope": null,
"trust": 0.8,
"vendor": "carel industries s p a",
"version": null
},
{
"model": "pcoweb card",
"scope": null,
"trust": 0.8,
"vendor": "carel industries s p a",
"version": null
},
{
"model": "pcoweb hvac bacnet gateway",
"scope": null,
"trust": 0.8,
"vendor": "carel industries s p a",
"version": null
},
{
"model": "pcoweb hvac bacnet gateway",
"scope": "eq",
"trust": 0.1,
"vendor": "carel industries s p a",
"version": "firmware: a2.1.0 - b2.1.0"
},
{
"model": "pcoweb hvac bacnet gateway",
"scope": "eq",
"trust": 0.1,
"vendor": "carel industries s p a",
"version": "application software: 2.15.4a"
},
{
"model": "pcoweb hvac bacnet gateway",
"scope": "eq",
"trust": 0.1,
"vendor": "carel industries s p a",
"version": "software version: v16 13020200"
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5709"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016301"
},
{
"db": "NVD",
"id": "CVE-2022-37122"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Vulnerability discovered by Gjoko Krstic",
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5709"
}
],
"trust": 0.1
},
"cve": "CVE-2022-37122",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2022-37122",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-37122",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-37122",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-37122",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202208-4478",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "ZSL",
"id": "ZSL-2022-5709",
"trust": 0.1,
"value": "(4/5)"
}
]
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5709"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016301"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4478"
},
{
"db": "NVD",
"id": "CVE-2022-37122"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the \u0027file\u0027 GET parameter through the \u0027logdownload.cgi\u0027 Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. CAREL INDUSTRIES S.p.a. of pCOWeb card firmware, applica , pcoweb hvac bacnet gateway Exists in a past traversal vulnerability.Information may be obtained. pCO sistema is the solution CAREL offers its customers for managing HVAC/Rapplications and systems. It consists of programmable controllers, user interfaces,gateways and communication interfaces, remote management systems to offer the OEMsworking in HVAC/R a control system that is powerful yet flexible, can be easily interfacedto the more widely-used Building Management Systems, and can also be integrated intoproprietary supervisory systems.The device suffers from an unauthenticated arbitrary file disclosure vulnerability.Input passed through the \u0027file\u0027 GET parameter through the \u0027logdownload.cgi\u0027 Bash scriptis not properly verified before being used to download log files",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-37122"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016301"
},
{
"db": "ZSL",
"id": "ZSL-2022-5709"
},
{
"db": "VULHUB",
"id": "VHN-433016"
},
{
"db": "VULMON",
"id": "CVE-2022-37122"
}
],
"trust": 1.89
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.zeroscience.mk/codes/carelpco_dir.txt",
"trust": 0.1,
"type": "poc"
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5709"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-37122",
"trust": 3.5
},
{
"db": "PACKETSTORM",
"id": "167684",
"trust": 2.7
},
{
"db": "ZSL",
"id": "ZSL-2022-5709",
"trust": 2.7
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016301",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4478",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "50986",
"trust": 0.1
},
{
"db": "CXSECURITY",
"id": "WLB-2022070011",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-433016",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2022-37122",
"trust": 0.1
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5709"
},
{
"db": "VULHUB",
"id": "VHN-433016"
},
{
"db": "VULMON",
"id": "CVE-2022-37122"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016301"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4478"
},
{
"db": "NVD",
"id": "CVE-2022-37122"
}
]
},
"id": "VAR-202208-2220",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-433016"
}
],
"trust": 0.01
},
"last_update_date": "2024-08-14T14:49:39.141000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.1
},
{
"problemtype": "Path traversal (CWE-22) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-433016"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016301"
},
{
"db": "NVD",
"id": "CVE-2022-37122"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.7,
"url": "https://packetstormsecurity.com/files/167684/"
},
{
"trust": 2.6,
"url": "https://www.zeroscience.mk/codes/carelpco_dir.txt"
},
{
"trust": 2.6,
"url": "https://www.zeroscience.mk/en/vulnerabilities/zsl-2022-5709.php"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-37122"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-37122/"
},
{
"trust": 0.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230273"
},
{
"trust": 0.1,
"url": "https://cxsecurity.com/issue/wlb-2022070011"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/50986"
},
{
"trust": 0.1,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2022-37122"
},
{
"trust": 0.1,
"url": "https://www.tenable.com/cve/cve-2022-37122"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5709"
},
{
"db": "VULHUB",
"id": "VHN-433016"
},
{
"db": "VULMON",
"id": "CVE-2022-37122"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016301"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4478"
},
{
"db": "NVD",
"id": "CVE-2022-37122"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZSL",
"id": "ZSL-2022-5709"
},
{
"db": "VULHUB",
"id": "VHN-433016"
},
{
"db": "VULMON",
"id": "CVE-2022-37122"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016301"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-4478"
},
{
"db": "NVD",
"id": "CVE-2022-37122"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-06-30T00:00:00",
"db": "ZSL",
"id": "ZSL-2022-5709"
},
{
"date": "2022-08-31T00:00:00",
"db": "VULHUB",
"id": "VHN-433016"
},
{
"date": "2022-08-31T00:00:00",
"db": "VULMON",
"id": "CVE-2022-37122"
},
{
"date": "2023-10-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-016301"
},
{
"date": "2022-08-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-4478"
},
{
"date": "2022-08-31T16:15:11.747000",
"db": "NVD",
"id": "CVE-2022-37122"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-01T00:00:00",
"db": "ZSL",
"id": "ZSL-2022-5709"
},
{
"date": "2022-09-08T00:00:00",
"db": "VULHUB",
"id": "VHN-433016"
},
{
"date": "2022-08-31T00:00:00",
"db": "VULMON",
"id": "CVE-2022-37122"
},
{
"date": "2023-10-03T08:08:00",
"db": "JVNDB",
"id": "JVNDB-2022-016301"
},
{
"date": "2022-09-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-4478"
},
{
"date": "2022-09-08T01:35:34.110000",
"db": "NVD",
"id": "CVE-2022-37122"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-4478"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural \u00a0CAREL\u00a0INDUSTRIES\u00a0S.p.a.\u00a0 Past traversal vulnerabilities in products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016301"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-4478"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…