CVE-2022-1018

Published: Apr 1, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality.

Affected (3)

Products: Rockwellautomation: Connected Components Workbench, Isagraf, Safety Instrumented Systems Workstation

Rockwellautomation

3 products

Connected Components Workbench

Isagraf

Safety Instrumented Systems Workstation

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Rockwellautomation Connected Components Workbench	Up to 12.0
Rockwellautomation Isagraf	Up to 6.6.9
Rockwellautomation Safety Instrumented Systems Workstation	Up to 1.1

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://www.cisa.gov/uscert/ics/advisories/icsa-22-088-01

Source: ics-cert@hq.dhs.gov

MitigationPatchThird Party AdvisoryUS Government Resource

https://www.cisa.gov/uscert/ics/advisories/icsa-22-088-01

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationPatchThird Party AdvisoryUS Government Resource

Timeline

No history available yet.