Severity
High
Analysis Summary
CVE-2022-3686 CVSS:4.8
Hitachi SDM600 could allow a remote attacker to bypass security restrictions, caused by a flaw in API permission check mechanism. By running multiple parallel requests, an attacker could exploit this vulnerability to gain access to device data, causing confidentiality and integrity issues.
CVE-2022-3685 CVSS:7.5
Hitachi SDM600 could allow a local authenticated attacker to gain elevated privileges on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to escalate privileges.
CVE-2022-3684 CVSS:7.5
Hitachi SDM600 is vulnerable to a denial of service. By running multiple parallel requests, an remote attacker could exploit this vulnerability to cause the SDM600 web services become busy rendering the application unresponsive.
CVE-2022-3683 CVSS:7.7
Hitachi SDM600 could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the API web services authorization validation implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to read data directly from a data store.
CVE-2022-3682 CVSS:9.9
Hitachi SDM600 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the file permission validation. By gaining access to the system and uploading a specially crafted message, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Impact
- Code Execution
- Privilege Escalation
- Denial of Service
- Security Bypass
Indicators Of Compromise
CVE
- CVE-2022-3686
- CVE-2022-3685
- CVE-2022-3684
- CVE-2022-3683
- CVE-2022-3682
Affected Vendors
Hitachi
Affected Products
- Hitachi Energy SDM600
Remediation
Refer to ABB Document for patch, upgrade or suggested workaround information.