Vulnerabilities > CVE-2022-1467 - Exposure of Resource to Wrong Sphere vulnerability in Aveva products

CVSS 9.9 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

aveva

CWE-668

critical

NVD

Published: 2022-05-23

Updated: 2022-06-07

Summary

Windows OS can be configured to overlay a “language bar” on top of any application. When this OS functionality is enabled, the OS language bar UI will be viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications. It is possible to manipulate the Windows OS language bar to launch an OS command prompt, resulting in a context-escape from application into OS.

Vulnerable Configurations

Part	Description	Count
Application	Aveva Aveva Plant Scada Access Anywhere * Aveva Intouch Access Anywhere *	2

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

References

https://www.aveva.com/en/support-and-success/cyber-security-updates/
https://www.cisa.gov/uscert/ics/advisories/icsa-22-130-05