CVE-2022-30311

Summary

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

Affected Software

VendorProductVersion RangeStatus
FestoController CECC-X-M1 (4407603)3.0.0 <= 3.8.14affected
FestoController CECC-X-M1 (8124922)4.0.14affected
FestoController CECC-X-M1-MV (4407605)3.0.0 <= 3.8.14affected
FestoController CECC-X-M1-MV (8124923)4.0.14affected
FestoController CECC-X-M1-MV-S1 (4407606)3.0.0 <= 3.8.14affected
FestoController CECC-X-M1-MV-S1 (8124924)4.0.14affected
FestoController CECC-X-M1-YS-L1 (8082793)3.0.0 <= 3.8.14affected
FestoController CECC-X-M1-YS-L2 (8082794)3.0.0 <= 3.8.14affected
FestoController CECC-X-M1-Y-YJKP (4803891)3.0.0 <= 3.8.14affected
FestoServo Press Kit YJKP (8077950)3.0.0 <= 3.8.14affected
FestoServo Press Kit YJKP- (8058596)3.0.0 <= 3.8.14affected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization
  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CVE Program Container

Additional References

References