Incorrect Permission Assignment for Critical Resource vulnerability in OPC Server for AC 800M allows an attacker to execute arbitrary code in the node running the AC800M OPC Server.

CVE-2021-22284

Improper Input Validation vulnerability in the ABB SPIET800 and PNI800 module allows an attacker to cause the denial of service or make the module unresponsive.

CVE-2021-22288

CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands.

CA20220203-01: Security Notice for CA Harvest Software Change Manager

**CA20220203-01: Security Notice for CA Harvest Software Change Manager**

Issued: February 3rd, 2022

CA Technologies, A Broadcom Company, is alerting customers to a vulnerability in CA Harvest Software Change Manager. A vulnerability exists that can allow a privileged user to perform CSV injection attacks and potentially execute arbitrary code or commands. Note that this vulnerability is specific to the Harvest Workbench and Eclipse Plugin interfaces. CA published solutions to address this vulnerability and recommends that all affected customers implement these solutions.

The vulnerability, CVE-2022-22689, occurs due to insufficient input validation.  A privileged user can potentially execute arbitrary code or commands.

**Risk Rating**

CVE-2022-22689 - High

**Platform(s)**

Microsoft Windows, Linux, Linux s390x, Apple MacOS

**Affected Products**

CA Harvest Software Change Manager 13.0.3  
CA Harvest Software Change Manager 13.0.4  
CA Harvest Software Change Manager 14.0.0  
CA Harvest Software Change Manager 14.0.1  
Note: older, unsupported versions may be affected

**How to determine if the installation is affected**

For Harvest Workbench, check for “CA Harvest Software Change Manager Workbench” release number.  
From Harvest workbench, Click on About > CA Harvest Software Change Manager Workbench  
For 13.0.3 it would be 13.0.3.152  
For 13.0.4 it would be 13.0.4.254  
For 14.0.0 it would be 14.0.0.369  
For 14.0.1 it would be 14.0.0.369

For Eclipse, check for “CA Harvest SCM Team Provider” feature version.  
From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features  
For 13.0.3 it would be 13.0.3.152 or 13.0.3.152a  
For 13.0.4 it would be 13.0.4.254 or 13.0.4.254a or 13.0.4.254b or 13.0.4.254c  
For 14.0.0 it would be 14.0.0.369 or 14.0.0.369a  
For 14.0.1 it would be 14.0.0.369 or 14.0.0.369a 

**Solution**

CA Technologies published the following solutions to address the vulnerabilities:

Apply the appropriate fix provided for 13.0.3, 13.0.4, 14.0.0, or 14.0.1.

Fixes are available at:  
13.0.3 APAR 99111332  
13.0.4 APAR 99111333  
14.0.0 APAR 99111334  
14.0.1 APAR 99111356

**How to determine if the fix is applied**

For Harvest Workbench, check for “CA Harvest SCM Workbench” feature name.  
From Harvest Workbench, Click on About > CA Harvest Software Change Manager Workbench > Installation Details > Features  
Feature name would be “CA Harvest SCM Workbench-Efix-V0001”

For Eclipse, check for “CA Harvest SCM Team Provider” feature version.  
From Eclipse, Click on About > About Eclipse IDE > Installation Details > Features  
For 13.0.3 it would be 13.0.3.152b  
For 13.0.4 it would be 13.0.4.254d  
For 14.0.0 it would be 14.0.0.369b  
For 14.0.1 it would be 14.0.2.16

**References**

CVE-2022-22689 - CA Harvest Software Change Manager CSV injection vulnerability

**Acknowledgement**

CVE-2022-22689 - Merten Nagel of usd AG

**Change History**

Version 1.0: 2022-02-03 - Initial Release

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at https://support.broadcom.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.

Copyright © 2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

CVE-2022-22689: Support Content Notification - Support Portal - Broadcom support portal

The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.

CVE-2022-24262: News - VoIPmonitor

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

98.0.1108.43

2/3/2022

98.0.4758.80

Tag

#microsoft