CVE-2022-35868

A vulnerability has been identified in TIA Multiuser Server V14 (All versions), TIA Multiuser Server V15 (All versions < V15.1 Update 8), TIA Project-Server (All versions < V1.1), TIA Project-Server V16 (All versions), TIA Project-Server V17 (All versions < V17 Update 6). Affected applications contain an untrusted search path vulnerability that could allow an attacker to escalate privileges, when tricking a legitimate user to start the service from an attacker controlled path.

CVSS v3 6.7 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-640968.html
https://cert-portal.siemens.com/productcert/pdf/ssa-640968.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:siemens:tia_multiuser_server:14:::::::*
	cpe:2.3:a:siemens:tia_multiuser_server:15:::::::*
	cpe:2.3:a:siemens:tia_multiuser_server:15.1:-::::::
	cpe:2.3:a:siemens:tia_multiuser_server:16:::::::*
	cpe:2.3:a:siemens:tia_project-server:1.0:::::::*
	cpe:2.3:a:siemens:tia_project-server:17:-::::::
	cpe:2.3:a:siemens:tia_project-server:17:update1::::::
	cpe:2.3:a:siemens:tia_project-server:17:update4::::::

History

13 Aug 2024, 08:15

Type	Values Removed	Values Added
Summary	(en) A vulnerability has been identified in TIA Multiuser Server V14 (All versions), TIA Multiuser Server V15 (All versions < V15.1 Update 8), TIA Project-Server (All versions < V1.1), TIA Project-Server V16 (All versions), TIA Project-Server V17 (All versions < V17 Update 6). Affected applications contain an untrusted search path vulnerability that could allow an attacker to escalate privileges, when tricking a legitimate user to start the service from an attacker controlled path.	(en) A vulnerability has been identified in TIA Multiuser Server V14 (All versions), TIA Multiuser Server V15 (All versions < V15.1 Update 8), TIA Project-Server (All versions < V1.1), TIA Project-Server V16 (All versions), TIA Project-Server V17 (All versions < V17 Update 6). Affected applications contain an untrusted search path vulnerability that could allow an attacker to escalate privileges, when tricking a legitimate user to start the service from an attacker controlled path.
References		() https://cert-portal.siemens.com/productcert/html/ssa-640968.html -

08 Feb 2024, 18:40

Type	Values Removed	Values Added
CPE	cpe:2.3:a:siemens:tia_project-server:17:::::::* cpe:2.3:a:siemens:tia_project-server:16:::::::*	cpe:2.3:a:siemens:tia_project-server:17:update4:::::: cpe:2.3:a:siemens:tia_project-server:17:-:::::: cpe:2.3:a:siemens:tia_project-server:17:update1::::::

09 May 2023, 13:15

Type	Values Removed	Values Added
Summary	A vulnerability has been identified in TIA Multiuser Server V14 (All versions), TIA Multiuser Server V15 (All versions < V15.1 Update 8), TIA Project-Server (All versions < V1.1), TIA Project-Server V16 (All versions), TIA Project-Server V17 (All versions). Affected applications contain an untrusted search path vulnerability that could allow an attacker to escalate privileges, when tricking a legitimate user to start the service from an attacker controlled path.	A vulnerability has been identified in TIA Multiuser Server V14 (All versions), TIA Multiuser Server V15 (All versions < V15.1 Update 8), TIA Project-Server (All versions < V1.1), TIA Project-Server V16 (All versions), TIA Project-Server V17 (All versions < V17 Update 6). Affected applications contain an untrusted search path vulnerability that could allow an attacker to escalate privileges, when tricking a legitimate user to start the service from an attacker controlled path.
CVSS	v2 : ~~unknown~~ v3 : ~~7.3~~	v2 : unknown v3 : 6.7

22 Feb 2023, 16:13

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-02-14 11:15

Updated : 2024-08-13 08:15

NVD link : CVE-2022-35868

Mitre link : CVE-2022-35868

CVE.ORG link : CVE-2022-35868

JSON object : View

Products Affected

siemens

tia_multiuser_server
tia_project-server

CWE

CWE-426

Untrusted Search Path

6.7 /10