1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ABB
- Equipment: RMC-100
- Vulnerability: Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’)
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the web UI, causing a temporary denial of service until the interface can be restarted.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ABB reports that the following products are affected when the REST interface is enabled:
- RMC-100: Versions 2105457-036 to 2105457-044
- RMC-100 LITE: Versions 2106229-010 to 2106229-016
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPERLY CONTROLLED MODIFICATION OF OBJECT PROTOTYPE ATTRIBUTES (‘PROTOTYPE POLLUTION’) CWE-1321
A vulnerability exists in the web UI (REST interface) included in the product versions listed above. An attacker could exploit the vulnerability by sending a specially crafted message to the web UI node, causing a node process hang, requiring restart of the REST interface (disable/enable).
CVE-2022-24999 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-24999. A base score of 8.7 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories