CVE Vulnerability

CVE-2022-1118

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited

6.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

7.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-095-01 Third Party Advisory US Government Resource
Configurations

Configuration 1

cpe:2.3:a:rockwellautomation:safety_instrumented_systems_workstation:*:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:isagraf_workbench:*:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:connected_component_workbench:*:*:*:*:*:*:*:*
Information

Published : 2022-05-17 08:15

Updated : 2022-05-26 01:39

NVD link : CVE-2022-1118

Mitre link : CVE-2022-1118

Products Affected
No products.
CWE
CWE-502

Deserialization of Untrusted Data