CVE-2022-25302 — HIGH (7.5)

Vulnerability Description

All versions of package asneg/opcuastack are vulnerable to Denial of Service (DoS) due to a missing handler for failed casting when unvalidated data is forwarded to boost::get function in OpcUaNodeIdBase.h. Exploiting this vulnerability is possible when sending a specifically crafted OPC UA message with a special encoded NodeId.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Opc Ua Stack Project	Opc Ua Stack	All versions

References

https://security.snyk.io/vuln/SNYK-UNMANAGED-ASNEGOPCUASTACK-2988732Third Party Advisory
https://security.snyk.io/vuln/SNYK-UNMANAGED-ASNEGOPCUASTACK-2988732Third Party Advisory

FAQ

What is CVE-2022-25302?

CVE-2022-25302 is a vulnerability with a CVSS score of 7.5 (HIGH). All versions of package asneg/opcuastack are vulnerable to Denial of Service (DoS) due to a missing handler for failed casting when unvalidated data is forwarded to boost::get function in OpcUaNodeIdB...

How severe is CVE-2022-25302?

CVE-2022-25302 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-25302?

Check the references section above for vendor advisories and patch information. Affected products include: Opc Ua Stack Project Opc Ua Stack.