CVE-2022-35217

The NHI card’s web service component has a stack-based buffer overflow vulnerability due to insufficient validation for network packet header length. A local area network attacker with general user privilege can exploit this vulnerability to execute arbitrary code, manipulate system command or disrupt service.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.twcert.org.tw/tw/cp-132-6353-31470-1.html	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:nhi:health_insurance_web_service_component:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-08-02 16:15

Updated : 2022-08-10 16:46

NVD link : CVE-2022-35217

Mitre link : CVE-2022-35217

CVE.ORG link : CVE-2022-35217

JSON object : View

Products Affected

microsoft

windows

nhi

health_insurance_web_service_component

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2022-35217", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2022-08-02T16:15:10.243", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6353-31470-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}, {"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "The NHI card\u2019s web service component has a stack-based buffer overflow vulnerability due to insufficient validation for network packet header length. A local area network attacker with general user privilege can exploit this vulnerability to execute arbitrary code, manipulate system command or disrupt service."}, {"lang": "es", "value": "El componente de servicio web de la tarjeta NHI presenta una vulnerabilidad de desbordamiento de b\u00fafer en la regi\u00f3n stack de la memoria debido a una comprobaci\u00f3n insuficiente de la longitud del encabezado del paquete de red. Un atacante de la red de \u00e1rea local con privilegio de usuario general puede explotar esta vulnerabilidad para ejecutar c\u00f3digo arbitrario, manipular el comando del sistema o interrumpir el servicio"}], "lastModified": "2022-08-10T16:46:02.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nhi:health_insurance_web_service_component:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0379276F-4782-4249-82EF-A26C6EE14E8B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "twcert@cert.org.tw"}