Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-32143

Publication date:

24/06/2022

In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required

Severity CVSS v4.0: Pending analysis

Last modification:

01/07/2022

CVE-2022-32141

Publication date:

24/06/2022

Multiple CODESYS Products are prone to a buffer over read. A low privileged remote attacker may craft a request with an invalid offset, which can cause an internal buffer over-read, resulting in a denial-of-service condition. User interaction is not required.

Severity CVSS v4.0: Pending analysis

Last modification:

29/06/2023

CVE-2021-34604

Publication date:

24/06/2022

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. It is a duplicate of CVE-2022-22514. Notes: none

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-31806

Publication date:

24/06/2022

In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.

Severity CVSS v4.0: Pending analysis

Last modification:

07/07/2022

CVE-2022-31802

Publication date:

24/06/2022

In CODESYS Gateway Server V2 for versions prior to V2.3.9.38 only a part of the the specified password is been compared to the real CODESYS Gateway password. An attacker may perform authentication by specifying a small password that matches the corresponding part of the longer real CODESYS Gateway password.

Severity CVSS v4.0: Pending analysis

Last modification:

01/07/2022

CVE-2022-31803

Publication date:

24/06/2022

In CODESYS Gateway Server V2 an insufficient check for the activity of TCP client connections allows an unauthenticated attacker to consume all available TCP connections and prevent legitimate users or clients from establishing a new connection to the CODESYS Gateway Server V2. Existing connections are not affected and therefore remain intact.

Severity CVSS v4.0: Pending analysis

Last modification:

01/07/2022

CVE-2022-31804

Publication date:

24/06/2022

The CODESYS Gateway Server V2 does not verifiy that the size of a request is within expected limits. An unauthenticated attacker may allocate an arbitrary amount of memory, which may lead to a crash of the Gateway due to an out-of-memory condition.

Severity CVSS v4.0: Pending analysis

Last modification:

01/07/2022

CVE-2022-32136

Publication date:

24/06/2022

In multiple CODESYS products, a low privileged remote attacker may craft a request that cause a read access to an uninitialized pointer, resulting in a denial-of-service. User interaction is not required.

Severity CVSS v4.0: Pending analysis

Last modification:

01/07/2022

CVE-2022-32137

Publication date:

24/06/2022

In multiple CODESYS products, a low privileged remote attacker may craft a request, which may cause a heap-based buffer overflow, resulting in a denial-of-service condition or memory overwrite. User interaction is not required.

Severity CVSS v4.0: Pending analysis

Last modification:

01/07/2022

CVE-2022-32138

Publication date:

24/06/2022

In multiple CODESYS products, a remote attacker may craft a request which may cause an unexpected sign extension, resulting in a denial-of-service condition or memory overwrite.

Severity CVSS v4.0: Pending analysis

Last modification:

01/07/2022

CVE-2022-32139

Publication date:

24/06/2022

In multiple CODESYS products, a low privileged remote attacker may craft a request, which cause an out-of-bounds read, resulting in a denial-of-service condition. User Interaction is not required.

Severity CVSS v4.0: Pending analysis

Last modification:

01/07/2022

CVE-2022-32140

Publication date:

24/06/2022

Multiple CODESYS products are affected to a buffer overflow.A low privileged remote attacker may craft a request, which can cause a buffer copy without checking the size of the service, resulting in a denial-of-service condition. User Interaction is not required.

Severity CVSS v4.0: Pending analysis

Last modification:

01/07/2022

Subscribe to Vulnerabilities