{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-2155","assignerOrgId":"e383dce4-0c27-4495-91c4-0db157728d17","state":"PUBLISHED","assignerShortName":"Hitachi Energy","dateReserved":"2022-06-21T16:47:22.017Z","datePublished":"2023-01-12T14:01:51.857Z","dateUpdated":"2025-04-07T15:06:41.003Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Lumada APM","vendor":"Hitachi Energy","versions":[{"status":"affected","version":"6.0.0.*"},{"status":"affected","version":"6.1.0.*"},{"status":"affected","version":"6.2.0.*"},{"status":"affected","version":"6.3.0.*"},{"status":"affected","version":"6.4.0.0"},{"status":"unaffected","version":"6.4.0.1"},{"status":"unaffected","version":"6.5.0.0"}]}],"datePublic":"2022-12-23T13:30:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\nA vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer. \n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.

\n\nAffected versions
List of CPEs: 
"}],"value":"\nA vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature\ndue to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports\nfeature. An attacker that manages to exploit the vulnerability on a customer’s Lumada APM could access unauthorized information by gaining\nunauthorized access to any Power BI reports installed by the customer. \n\nFurthermore, the vulnerability enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.\n\n\n\nAffected versions \n * Lumada APM on-premises version 6.0.0.0 - 6.4.0.*\n\n\n\nList of CPEs: \n * cpe:2.3:a:hitachienergy:lumada_apm:6.0.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.1.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.2.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.3.0.0:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:lumada_apm:6.4.0.0:*:*:*:*:*:*:*\n\n\n"}],"impacts":[{"capecId":"CAPEC-122","descriptions":[{"lang":"en","value":"CAPEC-122 Privilege Abuse"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863 Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"e383dce4-0c27-4495-91c4-0db157728d17","shortName":"Hitachi Energy","dateUpdated":"2023-01-12T14:01:51.857Z"},"references":[{"url":"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":""}],"value":" * For Lumada APM version 6.4.0.* – Update to Lumada APM version 6.4.0.1, or upgrade to Lumada APM version 6.5.0.0 (or newer).\n\n * For Lumada APM versions prior to 6.4.0.0 – Upgrade to Lumada APM version 6.4.0.1 or 6.5.0.0 or newer. \n\n\n\n"}],"source":{"discovery":"INTERNAL"},"title":"A vulnerability exists in the Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role. ","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\nOut-of-the-box, Lumada APM – On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM. 
Apply general mitigation factors as described in the respective advisory. "}],"value":"\nOut-of-the-box, Lumada APM – On Premise does not support the Power BI integration feature. Nonetheless,\none can connect a subscription-based Power BI to Lumada APM. \n * In case the Power BI integration feature is enabled, it is recommended to either disable the unsupported Power BI integration feature if there are users with “Limited Engineer” role, or to remove any users with “Limited Engineer” role or to assign those users to other role prior to using the unsupported Power BI integration feature.\n * If Power BI integration is disabled, it is safe to continue to assign the “Limited Engineer” role to users.\n\n\n\nApply general mitigation factors as described in the respective advisory. "}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T00:32:07.969Z"},"title":"CVE Program Container","references":[{"url":"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000112&LanguageCode=en&DocumentPartId=&Action=Launch","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-07T15:06:22.175649Z","id":"CVE-2022-2155","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-07T15:06:41.003Z"}}]}}