Cleartext storage of sensitive information in Hitachi Energy products - CVE-2022-2513

 

Cleartext storage of sensitive information in Hitachi Energy products - CVE-2022-2513

Published: November 30, 2022


Vulnerability identifier: #VU69736
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-2513
CWE-ID: CWE-312
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Hitachi Energy
Affected software:
PCM600 Update Manager
670 Connectivity Package
650 Connectivity Package
SAM600-IO Connectivity Package
GMS600 Connectivity Package
PWC600 Connectivity Package

Detailed vulnerability description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to user credentials are stored in plaintext in the database within the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function. A local attacker can obtain IED credentials.


How to mitigate CVE-2022-2513

Install updates from vendor's website.

Sources