CVE-2022-38138 - Vulnerability Details - OpenCVE

The Triangle Microworks IEC 61850 Library (Any client or server using the C language library with a version number of 11.2.0 or earlier and any client or server using the C++, C#, or Java language library with a version number of 5.0.1 or earlier) and 60870-6 (ICCP/TASE.2) Library (Any client or server using a C++ language library with a version number of 4.4.3 or earlier) are vulnerable to access given to a small number of uninitialized pointers within their code. This could allow an attacker to target any client or server using the affected libraries to cause a denial-of-service condition.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Trianglemicroworks	Iec 60870-6 Software Library Iec 61850 Software Library

Configuration 1 [-]

OR	cpe:2.3:a:trianglemicroworks:iec_60870-6_software_library:-:::::::*
	cpe:2.3:a:trianglemicroworks:iec_61850_software_library:-:::::::*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-249-01

History

Wed, 16 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-10-11T00:00:00.000Z

Updated: 2025-04-16T16:09:09.794Z

Reserved: 2022-08-29T00:00:00.000Z

Link: CVE-2022-38138

Vulnrichment

Updated: 2024-08-03T10:45:52.581Z

NVD

Status : Modified

Published: 2022-10-11T21:15:13.710

Modified: 2024-11-21T07:15:52.147

Link: CVE-2022-38138

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-38138", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "dateUpdated": "2025-04-16T16:09:09.794Z", "dateReserved": "2022-08-29T00:00:00.000Z", "datePublished": "2022-10-11T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-10-11T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "The Triangle Microworks IEC 61850 Library (Any client or server using the C language library with a version number of 11.2.0 or earlier and any client or server using the C++, C#, or Java language library with a version number of 5.0.1 or earlier) and 60870-6 (ICCP/TASE.2) Library (Any client or server using a C++ language library with a version number of 4.4.3 or earlier) are vulnerable to access given to a small number of uninitialized pointers within their code. This could allow an attacker to target any client or server using the affected libraries to cause a denial-of-service condition."}], "affected": [{"vendor": "Triangle Microworks", "product": "Library: IEC 61850", "versions": [{"version": "Any client or server using the C language library with a version number of 11.2.0 or earlier", "status": "affected"}, {"version": "Any client or server using the C++, C#, or Java language library with a version number of 5.0.1 or earlier", "status": "affected"}]}, {"vendor": "Triangle Microworks", "product": "Library: IEC 60870-6 (ICCP/Tase.2)", "versions": [{"version": "Any client or server using a C++ language library with a version number of 4.4.3 or earlier", "status": "affected"}]}], "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-249-01"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-824 Access of Uninitialized Pointer", "cweId": "CWE-824"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.581Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-249-01", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:54:06.629943Z", "id": "CVE-2022-38138", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:09:09.794Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-249-01", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.581Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-38138", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-16T15:54:06.629943Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:54:08.708Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Triangle Microworks", "product": "Library: IEC 61850", "versions": [{"status": "affected", "version": "Any client or server using the C language library with a version number of 11.2.0 or earlier"}, {"status": "affected", "version": "Any client or server using the C++, C#, or Java language library with a version number of 5.0.1 or earlier"}]}, {"vendor": "Triangle Microworks", "product": "Library: IEC 60870-6 (ICCP/Tase.2)", "versions": [{"status": "affected", "version": "Any client or server using a C++ language library with a version number of 4.4.3 or earlier"}]}], "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-249-01"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "The Triangle Microworks IEC 61850 Library (Any client or server using the C language library with a version number of 11.2.0 or earlier and any client or server using the C++, C#, or Java language library with a version number of 5.0.1 or earlier) and 60870-6 (ICCP/TASE.2) Library (Any client or server using a C++ language library with a version number of 4.4.3 or earlier) are vulnerable to access given to a small number of uninitialized pointers within their code. This could allow an attacker to target any client or server using the affected libraries to cause a denial-of-service condition."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-824", "description": "CWE-824 Access of Uninitialized Pointer"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-10-11T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-38138", "state": "PUBLISHED", "dateUpdated": "2025-04-16T16:09:09.794Z", "dateReserved": "2022-08-29T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-10-11T00:00:00.000Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trianglemicroworks:iec_60870-6_software_library:-:*:*:*:*:*:*:*", "matchCriteriaId": "E96977A1-8B2A-4B3D-9E71-29B98D45C982", "vulnerable": true}, {"criteria": "cpe:2.3:a:trianglemicroworks:iec_61850_software_library:-:*:*:*:*:*:*:*", "matchCriteriaId": "EF0D9113-EBE1-47C8-9C5E-96D3A527ADA2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Triangle Microworks IEC 61850 Library (Any client or server using the C language library with a version number of 11.2.0 or earlier and any client or server using the C++, C#, or Java language library with a version number of 5.0.1 or earlier) and 60870-6 (ICCP/TASE.2) Library (Any client or server using a C++ language library with a version number of 4.4.3 or earlier) are vulnerable to access given to a small number of uninitialized pointers within their code. This could allow an attacker to target any client or server using the affected libraries to cause a denial-of-service condition."}, {"lang": "es", "value": "La biblioteca IEC 61850 de Triangle Microworks (cualquier cliente o servidor que usando la biblioteca de lenguaje C con un n\u00famero de versi\u00f3n de 11.2.0 o anterior y cualquier cliente o servidor usando la biblioteca de lenguaje C++, C# o Java con un n\u00famero de versi\u00f3n de 5.0.1 o anterior) y la biblioteca 60870-6 (ICCP/TASE.2) (cualquier cliente o servidor que utilice una biblioteca de lenguaje C++ con un n\u00famero de versi\u00f3n de 4.4.3 o anterior) son vulnerables al acceso dado a un peque\u00f1o n\u00famero de punteros no inicializados dentro de su c\u00f3digo. Esto podr\u00eda permitir a un atacante dirigirse a cualquier cliente o servidor que utilice las bibliotecas afectadas para causar una condici\u00f3n de denegaci\u00f3n de servicio"}], "id": "CVE-2022-38138", "lastModified": "2024-11-21T07:15:52.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-11T21:15:13.710", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-249-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-249-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-824"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-824"}], "source": "nvd@nist.gov", "type": "Primary"}]}