CVE-2022-28814 : Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8

Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers to read arbitrary files and gain full control of the device.

Published 2022-09-28 14:15:11

Updated 2022-09-30 02:11:41

Source CERT VDE

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2022-28814

Gavazziautomation » Uwp 3.0 Monitoring Gateway And Controller Firmware
Versions before (<) 8.5.0.3
cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Gavazziautomation » Uwp 3.0 Monitoring Gateway And Controller » Version: N/A
Gavazziautomation » Uwp 3.0 Monitoring Gateway And Controller Firmware » EDP Edition
Versions before (<) 8.5.0.3
cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:edp:*:*:*:*:*
Matching versions
When used together with: Gavazziautomation » Uwp 3.0 Monitoring Gateway And Controller » Version: N/A EDP Edition
Gavazziautomation » Uwp 3.0 Monitoring Gateway And Controller Firmware » Security Enhanced Edition
Versions before (<) 8.5.0.3
cpe:2.3:o:gavazziautomation:uwp_3.0_monitoring_gateway_and_controller_firmware:*:*:security_enhanced:*:*:*:*:*
Matching versions
When used together with: Gavazziautomation » Uwp 3.0 Monitoring Gateway And Controller » Version: N/A Security Enhanced Edition
Gavazziautomation » Cpy Car Park Server
Versions before (<) 2.8.3
cpe:2.3:a:gavazziautomation:cpy_car_park_server:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-28814

EPSS FAQ

0.62%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 68 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-28814

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	CERT VDE
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-28814

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)
CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Assigned by: info@cert.vde.com (Secondary)

References for CVE-2022-28814

https://cert.vde.com/en/advisories/VDE-2022-029/

VDE-2022-029 | CERT@VDE
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-28814

Products affected by CVE-2022-28814

Exploit prediction scoring system (EPSS) score for CVE-2022-28814

CVSS scores for CVE-2022-28814

CWE ids for CVE-2022-28814

References for CVE-2022-28814