CVE-2022-46354

13.12.2022, 16:15

A vulnerability has been identified in SCALANCE X204RNA (HSR) (All versions < V3.2.7), SCALANCE X204RNA (PRP) (All versions < V3.2.7), SCALANCE X204RNA EEC (HSR) (All versions < V3.2.7), SCALANCE X204RNA EEC (PRP) (All versions < V3.2.7), SCALANCE X204RNA EEC (PRP/HSR) (All versions < V3.2.7). The webserver of an affected device is missing specific security headers. This could allow an remote attacker to extract confidential session information under certain circumstances.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
siemens	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Vendor	Product	Version
siemens	6gk5204-0ba00-2mb2_firmware	𝑥 < 3.2.7
siemens	6gk5204-0ba00-2kb2_firmware	𝑥 < 3.2.7
siemens	6gk5204-0bs00-2na3_firmware	𝑥 < 3.2.7
siemens	6gk5204-0bs00-3la3_firmware	𝑥 < 3.2.7
siemens	6gk5204-0bs00-3pa3_firmware	𝑥 < 3.2.7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-363821.pdf