Remote Information Disclosure Vulnerability in AVEVA Edge by AVEVA
CVE-2022-36969

7.1HIGH

Key Information:

Vendor

Aveva

Status
Edge
Vendor
CVE Published:
29 March 2023

What is CVE-2022-36969?

The vulnerability located in the LoadImportedLibraries method of AVEVA Edge 2020 SP2 Patch 0 permits attackers to gain unauthorized access to sensitive information. This occurs when a user interacts with a malicious web page or file containing crafted XML, leading the XML parser to improperly process external entity references. As a result, an attacker can extract confidential data from the system, leveraging the current user's permissions. To mitigate this risk, users must be cautious about external documents and malicious URLs.

Affected Version(s)

Edge 2020 SP2 Patch 0(4201.2111.1802.0000)

References

https://www.aveva.com/content/dam/aveva/documents/support...
https://www.zerodayinitiative.com/advisories/ZDI-22-1128/

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
.