{"containers": {"cna": {"affected": [{"product": "Proficy CIMPLICITY", "vendor": "General Electric", "versions": [{"lessThanOrEqual": "11.1", "status": "affected", "version": "all", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"}], "datePublic": "2022-02-22T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-25T18:10:55.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"}], "solutions": [{"lang": "en", "value": "GE Digital recommends users upgrade all instances of the affected software to GE Digital\u2019s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. \n\nThe upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited.\n\nUsers are encouraged to contact a GE Digital representative for the latest versions of the update.\n\nFor users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY\u2019s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits."}], "source": {"discovery": "EXTERNAL"}, "title": "ICSA-22-053-01 GE Proficy CIMPLICITY-IPM", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-02-22T23:08:00.000Z", "ID": "CVE-2022-23921", "STATE": "PUBLIC", "TITLE": "ICSA-22-053-01 GE Proficy CIMPLICITY-IPM"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Proficy CIMPLICITY", "version": {"version_data": [{"version_affected": "<=", "version_name": "all", "version_value": "11.1"}]}}]}, "vendor_name": "General Electric"}]}}, "credit": [{"lang": "eng", "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-269 Improper Privilege Management"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"}]}, "solution": [{"lang": "en", "value": "GE Digital recommends users upgrade all instances of the affected software to GE Digital\u2019s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. \n\nThe upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited.\n\nUsers are encouraged to contact a GE Digital representative for the latest versions of the update.\n\nFor users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY\u2019s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:59:23.018Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T17:31:12.537218Z", "id": "CVE-2022-23921", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T18:00:35.453Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-23921", "datePublished": "2022-02-25T18:10:55.935Z", "dateReserved": "2022-01-27T00:00:00.000Z", "dateUpdated": "2025-04-16T18:00:35.453Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:59:23.018Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-23921", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T17:31:12.537218Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T17:31:13.904Z"}}], "cna": {"title": "ICSA-22-053-01 GE Proficy CIMPLICITY-IPM", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "General Electric", "product": "Proficy CIMPLICITY", "versions": [{"status": "affected", "version": "all", "versionType": "custom", "lessThanOrEqual": "11.1"}]}], "solutions": [{"lang": "en", "value": "GE Digital recommends users upgrade all instances of the affected software to GE Digital\u2019s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. \n\nThe upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited.\n\nUsers are encouraged to contact a GE Digital representative for the latest versions of the update.\n\nFor users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY\u2019s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits."}], "datePublic": "2022-02-22T00:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-02-25T18:10:55.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "all", "version_value": "11.1", "version_affected": "<="}]}, "product_name": "Proficy CIMPLICITY"}]}, "vendor_name": "General Electric"}]}}, "solution": [{"lang": "en", "value": "GE Digital recommends users upgrade all instances of the affected software to GE Digital\u2019s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. \n\nThe upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited.\n\nUsers are encouraged to contact a GE Digital representative for the latest versions of the update.\n\nFor users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY\u2019s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-269 Improper Privilege Management"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-23921", "STATE": "PUBLIC", "TITLE": "ICSA-22-053-01 GE Proficy CIMPLICITY-IPM", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-02-22T23:08:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-23921", "state": "PUBLISHED", "dateUpdated": "2025-04-16T18:00:35.453Z", "dateReserved": "2022-01-27T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-02-25T18:10:55.935Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ge:proficy_cimplicitiy:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AD8F347-ED4B-40B7-A42B-43E5EA4B4CC5", "versionEndIncluding": "11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects."}, {"lang": "es", "value": "Una explotaci\u00f3n de esta vulnerabilidad puede resultar en una escalada local de privilegios y una ejecuci\u00f3n de c\u00f3digo. GE mantiene que la explotaci\u00f3n de esta vulnerabilidad s\u00f3lo es posible si el atacante presenta acceso a una m\u00e1quina que ejecuta activamente CIMPLICITY, el servidor de CIMPLICITY no est\u00e1 ejecutando ya un proyecto, y el servidor presenta licencia para m\u00faltiples proyectos.\n"}], "id": "CVE-2022-23921", "lastModified": "2024-11-21T06:49:27.780", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 1.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-25T19:15:24.890", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}