Cleartext storage of sensitive information in Hitachi Energy products - CVE-2022-2513
Published: November 30, 2022
Vulnerability identifier: #VU69736
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-2513
CWE-ID: CWE-312
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
PCM600 Update Manager
670 Connectivity Package
650 Connectivity Package
SAM600-IO Connectivity Package
GMS600 Connectivity Package
PWC600 Connectivity Package
PCM600 Update Manager
670 Connectivity Package
650 Connectivity Package
SAM600-IO Connectivity Package
GMS600 Connectivity Package
PWC600 Connectivity Package
Software vendor:
Hitachi Energy
Hitachi Energy
Description
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to user credentials are stored in plaintext in the database within the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function. A local attacker can obtain IED credentials.
Remediation
Install updates from vendor's website.