CVE-2022-38469 : An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and pass

An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.

Published 2023-01-18 00:15:12

Updated 2023-07-21 20:32:47

Source ICS-CERT

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-38469

Probability of exploitation activity in the next 30 days: 0.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 49 % EPSS Score History EPSS FAQ

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	ICS-CERT
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE-261 Weak Encoding for Password

Obscuring a password with a trivial encoding does not protect the password.

Assigned by: ics-cert@hq.dhs.gov (Secondary)
CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Assigned by: nvd@nist.gov (Primary)
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Assigned by: nvd@nist.gov (Primary)

GE » Proficy Historian
Versions from including (>=) 7.0 and before (<) 2023
cpe:2.3:a:ge:proficy_historian:*:*:*:*:*:*:*:*
Matching versions