CVE-2022-2634 - Vulnerability Details - OpenCVE

An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Digi	Connectport X2d Connectport X2d Firmware

Configuration 1 [-]

AND

cpe:2.3:o:digi:connectport_x2d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:digi:connectport_x2d:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01

History

Wed, 16 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-08-09T20:18:31.257Z

Updated: 2025-04-16T16:13:37.837Z

Reserved: 2022-08-02T00:00:00.000Z

Link: CVE-2022-2634

Vulnrichment

Updated: 2024-08-03T00:46:03.490Z

NVD

Status : Modified

Published: 2022-08-10T20:15:36.597

Modified: 2024-11-21T07:01:24.657

Link: CVE-2022-2634

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ConnectPort X2D", "vendor": "Digi", "versions": [{"status": "affected", "version": "All manufactured prior to 01/2020"}]}], "credits": [{"lang": "en", "value": "Aar\u00f3n Flecha of S21sec reported this vulnerability to CISA."}], "datePublic": "2022-08-04T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-250", "description": "CWE-250 Execution with Unnecessary Privileges", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-09T20:18:31.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01"}], "source": {"advisory": "ICSA-22-216-01", "discovery": "EXTERNAL"}, "title": "Digi ConnectPort X2D", "workarounds": [{"lang": "en", "value": "Digi International indicated this vulnerability does not exist in ConnectPort gateways manufactured after January 2020. It is recommended to contact Digi International support for assistance with impacted devices manufactured prior to January 2020."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-08-04T17:00:00.000Z", "ID": "CVE-2022-2634", "STATE": "PUBLIC", "TITLE": "Digi ConnectPort X2D"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ConnectPort X2D", "version": {"version_data": [{"version_affected": "=", "version_name": "All", "version_value": "manufactured prior to 01/2020"}]}}]}, "vendor_name": "Digi"}]}}, "credit": [{"lang": "eng", "value": "Aar\u00f3n Flecha of S21sec reported this vulnerability to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-250 Execution with Unnecessary Privileges"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01"}]}, "source": {"advisory": "ICSA-22-216-01", "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Digi International indicated this vulnerability does not exist in ConnectPort gateways manufactured after January 2020. It is recommended to contact Digi International support for assistance with impacted devices manufactured prior to January 2020."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:46:03.490Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:53:46.897152Z", "id": "CVE-2022-2634", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:13:37.837Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-2634", "datePublished": "2022-08-09T20:18:31.257Z", "dateReserved": "2022-08-02T00:00:00.000Z", "dateUpdated": "2025-04-16T16:13:37.837Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:46:03.490Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-2634", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T15:53:46.897152Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:53:48.522Z"}}], "cna": {"title": "Digi ConnectPort X2D", "source": {"advisory": "ICSA-22-216-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Aar\u00f3n Flecha of S21sec reported this vulnerability to CISA."}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Digi", "product": "ConnectPort X2D", "versions": [{"status": "affected", "version": "All manufactured prior to 01/2020"}]}], "datePublic": "2022-08-04T00:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01", "tags": ["x_refsource_MISC"]}], "workarounds": [{"lang": "en", "value": "Digi International indicated this vulnerability does not exist in ConnectPort gateways manufactured after January 2020. It is recommended to contact Digi International support for assistance with impacted devices manufactured prior to January 2020."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-250", "description": "CWE-250 Execution with Unnecessary Privileges"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-08-09T20:18:31.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Aar\u00f3n Flecha of S21sec reported this vulnerability to CISA."}], "impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "ICSA-22-216-01", "discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "All", "version_value": "manufactured prior to 01/2020", "version_affected": "="}]}, "product_name": "ConnectPort X2D"}]}, "vendor_name": "Digi"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-250 Execution with Unnecessary Privileges"}]}]}, "work_around": [{"lang": "en", "value": "Digi International indicated this vulnerability does not exist in ConnectPort gateways manufactured after January 2020. It is recommended to contact Digi International support for assistance with impacted devices manufactured prior to January 2020."}], "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-2634", "STATE": "PUBLIC", "TITLE": "Digi ConnectPort X2D", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-08-04T17:00:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-2634", "state": "PUBLISHED", "dateUpdated": "2025-04-16T16:13:37.837Z", "dateReserved": "2022-08-02T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-08-09T20:18:31.257Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:digi:connectport_x2d_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "95C24E8F-B481-488B-AD36-C0D3965681A5", "versionEndExcluding": "2020-01-01", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:digi:connectport_x2d:-:*:*:*:*:*:*:*", "matchCriteriaId": "47289275-83A0-4501-8F11-491CA7D16AD8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed."}, {"lang": "es", "value": "Un atacante puede ser capaz de ejecutar acciones maliciosas debido a una falta de protecciones de acceso al dispositivo y permisos del dispositivo cuando es usada la aplicaci\u00f3n web. Esto podr\u00eda conllevar a una carga de archivos python que pueden ser ejecutados posteriormente"}], "id": "CVE-2022-2634", "lastModified": "2024-11-21T07:01:24.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-10T20:15:36.597", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-216-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-250"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}