CVE-2022-38469 : An unauthorized user with network access and the decryption key could decrypt se

An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.

Published 2023-01-18 00:15:12

Updated 2023-07-21 20:32:47

Source ICS-CERT

View at NVD, CVE.org

Products affected by CVE-2022-38469

GE » Proficy Historian
Versions from including (>=) 7.0 and before (<) 2023
cpe:2.3:a:ge:proficy_historian:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 34 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	ICS-CERT
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE-261 Weak Encoding for Password

Obscuring a password with a trivial encoding does not protect the password.

Assigned by: ics-cert@hq.dhs.gov (Secondary)
CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Assigned by: nvd@nist.gov (Primary)
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Assigned by: nvd@nist.gov (Primary)

Jump to