SB2022090719 - Multiple vulnerabilities in Cognex 3D-A1000 Dimensioning System

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022090719

SB2022090719 - Multiple vulnerabilities in Cognex 3D-A1000 Dimensioning System

Published: September 7, 2022

Security Bulletin ID SB2022090719
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 67% Medium 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Missing Authentication for Critical Function (CVE-ID: CVE-2022-1368)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to missing authentication for critical function. A remote attacker can change the operator account password via webserver commands by monitoring web socket communications from an unauthenticated session and gain elevated privileges on the target system.


2) Improper Output Neutralization for Logs (CVE-ID: CVE-2022-1522)

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to improper output neutralization for logs. A remote attacker can create false logs that show the password as having been changed when it is not, complicating forensics.


3) Client-Side Enforcement of Server-Side Security (CVE-ID: CVE-2022-1525)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a client-side control issue. A remote attacker can inspec and modify the source code of password protected web elements and bypass web access controls.


Remediation

Install update from vendor's website.

References