CVE-2022-47311 | ByteOS Network

Vulnerability Details :

CVE-2022-47311

Assigner-icscert

Assigner Org ID-7d14cffa-0d7d-4270-9dc0-52cabd5a23a6

Published At-22 May, 2023 | 22:12

Updated At-16 Jan, 2025 | 21:32

CVE-2022-47311

A proprietary protocol for iBoot devices is used for control and keepalive commands. The function compares the username and password; it also contains the configuration data for the user specified. If the user does not exist, then it sends a value for username and password, which allows successful authentication for a connection.

EPSS History

Score

Latest Score

-

N/A

Percentile

Latest Percentile

-

N/A

▼Common Vulnerabilities and Exposures (CVE)

Assigner:icscert

Assigner Org ID:7d14cffa-0d7d-4270-9dc0-52cabd5a23a6

Published At:22 May, 2023 | 22:12

Updated At:16 Jan, 2025 | 21:32

▼CVE Numbering Authority (CNA)

CVE-2022-47311

A proprietary protocol for iBoot devices is used for control and keepalive commands. The function compares the username and password; it also contains the configuration data for the user specified. If the user does not exist, then it sends a value for username and password, which allows successful authentication for a connection.

Affected Products

Vendor

Dataprobe, Inc.

Product

Dataprobe iBoot-PDU FW

Versions

Affected

From 0 before 1.42.06162022 (custom)

Problem Types

Type	CWE ID	Description
N/A	N/A	CWE-288 Authentication Bypass Using an Alternate Path or Channel

Type: N/A

CWE ID: N/A

Description: CWE-288 Authentication Bypass Using an Alternate Path or Channel

Metrics

Version	Base score	Base severity	Vector
3.1	8.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Version: 3.1

Base score: 8.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

References

Hyperlink	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03	N/A
https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf	N/A

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03

Resource: N/A

Hyperlink: https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03	x_transferred
https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf	x_transferred

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03

Resource:

x_transferred

Hyperlink: https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf

Resource:

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

Source:ics-cert@hq.dhs.gov

Published At:22 May, 2023 | 23:15

Updated At:07 Nov, 2023 | 03:56

A proprietary protocol for iBoot devices is used for control and keepalive commands. The function compares the username and password; it also contains the configuration data for the user specified. If the user does not exist, then it sends a value for username and password, which allows successful authentication for a connection.

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary	3.1	8.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Type: Primary

Version: 3.1

Base score: 8.8

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 8.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CPE Matches

Dataprobe, Inc.

>>iboot-pdu4-n20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4-n20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4-n20>>-

cpe:2.3:h:dataprobe:iboot-pdu4-n20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4sa-n15_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4sa-n15_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4sa-n15>>-

cpe:2.3:h:dataprobe:iboot-pdu4sa-n15:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4a-n15_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4a-n15_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4a-n15>>-

cpe:2.3:h:dataprobe:iboot-pdu4a-n15:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4sa-n20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4sa-n20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4sa-n20>>-

cpe:2.3:h:dataprobe:iboot-pdu4sa-n20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4a-n20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4a-n20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4a-n20>>-

cpe:2.3:h:dataprobe:iboot-pdu4a-n20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8sa-n15_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8sa-n15_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8sa-n15>>-

cpe:2.3:h:dataprobe:iboot-pdu8sa-n15:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-n15_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8a-n15_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-n15>>-

cpe:2.3:h:dataprobe:iboot-pdu8a-n15:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8sa-2n15_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8sa-2n15_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8sa-2n15>>-

cpe:2.3:h:dataprobe:iboot-pdu8sa-2n15:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-2n15_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8a-2n15_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-2n15>>-

cpe:2.3:h:dataprobe:iboot-pdu8a-2n15:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8sa-n20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8sa-n20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8sa-n20>>-

cpe:2.3:h:dataprobe:iboot-pdu8sa-n20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-n20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8a-n20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-n20>>-

cpe:2.3:h:dataprobe:iboot-pdu8a-n20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-2n20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8a-2n20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-2n20>>-

cpe:2.3:h:dataprobe:iboot-pdu8a-2n20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4-c20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4-c20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4-c20>>-

cpe:2.3:h:dataprobe:iboot-pdu4-c20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4a-c10_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4a-c10_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4a-c10>>-

cpe:2.3:h:dataprobe:iboot-pdu4a-c10:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4sa-c10_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4sa-c10_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4sa-c10>>-

cpe:2.3:h:dataprobe:iboot-pdu4sa-c10:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-c10_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8a-c10_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-c10>>-

cpe:2.3:h:dataprobe:iboot-pdu8a-c10:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8sa-c10_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8sa-c10_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8sa-c10>>-

cpe:2.3:h:dataprobe:iboot-pdu8sa-c10:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-2c20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8a-2c20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-2c20>>-

cpe:2.3:h:dataprobe:iboot-pdu8a-2c20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4sa-c20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4sa-c20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4sa-c20>>-

cpe:2.3:h:dataprobe:iboot-pdu4sa-c20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4a-c20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu4a-c20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu4a-c20>>-

cpe:2.3:h:dataprobe:iboot-pdu4a-c20:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-2c10_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8a-2c10_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-2c10>>-

cpe:2.3:h:dataprobe:iboot-pdu8a-2c10:-:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-c20_firmware>>Versions before 1.42.06162022(exclusive)

cpe:2.3:o:dataprobe:iboot-pdu8a-c20_firmware:*:*:*:*:*:*:*:*

Dataprobe, Inc.

>>iboot-pdu8a-c20>>-

cpe:2.3:h:dataprobe:iboot-pdu8a-c20:-:*:*:*:*:*:*:*

References

Hyperlink	Source	Resource
https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf	ics-cert@hq.dhs.gov	Product
https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03	ics-cert@hq.dhs.gov	Patch Third Party Advisory US Government Resource

Hyperlink: https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf

Source: ics-cert@hq.dhs.gov

Resource:

Product

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03

Source: ics-cert@hq.dhs.gov

Resource:

Patch

Third Party Advisory

US Government Resource

Similar CVEs

1Records found

Matching Score-8

Assigner-Trellix

Matching Score-8

Assigner-Trellix

CVSS Score-7.2||HIGH

EPSS-0.45% / 62.73%

||

7 Day CHG~0.00%

Published-14 Aug, 2023 | 03:51

Updated-09 Oct, 2024 | 13:23

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to command injection via the `user-name` URL parameter. An authenticated malicious agent can exploit this vulnerability to execute arbitrary command on the underlying Linux operating system.

Vendor-Cyber Power Systems, Inc.Dataprobe, Inc.

Product-iboot-pdu8sa-2n15_firmware iboot-pdu4sa-n15 iboot-pdu8a-2c20 iboot-pdu4-n20 iboot-pdu4sa-c20 iboot-pdu4-c20 iboot-pdu8a-2c10_firmware iboot-pdu8a-c20 iboot-pdu4sa-n20_firmware iboot-pdu8sa-2n15 iboot-pdu4sa-n15_firmware iboot-pdu4-n20_firmware iboot-pdu8a-2c10 iboot-pdu8sa-c10 iboot-pdu8a-c10 iboot-pdu8a-2c20_firmware iboot-pdu8sa-n15 iboot-pdu4-c20_firmware powerpanel_server iboot-pdu4a-n15 iboot-pdu4a-n20_firmware iboot-pdu4sa-c20_firmware iboot-pdu4sa-n20 iboot-pdu8a-2n15 iboot-pdu8a-c20_firmware iboot-pdu8a-n20 iboot-pdu4a-c20_firmware iboot-pdu4sa-c10_firmware iboot-pdu8sa-n20 iboot-pdu8a-c10_firmware iboot-pdu4a-n20 iboot-pdu4a-c20 iboot-pdu8a-2n15_firmware iboot-pdu8sa-n20_firmware iboot-pdu4a-c10 iboot-pdu4a-c10_firmware iboot-pdu8a-2n20 iboot-pdu4a-n15_firmware iboot-pdu8a-n15_firmware iboot-pdu8a-n20_firmware iboot-pdu8sa-n15_firmware iboot-pdu8a-2n20_firmware iboot-pdu4sa-c10 iboot-pdu8sa-c10_firmware iboot-pdu8a-n15 iBoot PDU

CWE ID-CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')