CVE-2022-37953

WorkstationST - Response Splitting in AM Gateway Challenge-Response

Description

An HTTP response splitting vulnerability exists in the AM Gateway Challenge-Response dialog of WorkstationST (<v07.09.15) and could allow an attacker to compromise a victim's browser/session. WorkstationST is only deployed in specific, controlled environments rendering attack complexity significantly higher than if the attack were conducted on the software in isolation. WorkstationST v07.09.15 can be found in ControlST v07.09.07 SP8 and greater.

Remediation

Solution:

  • Upgrade to Workstation >= 7.09.15 which can be found in ControlST 7.09.07c SP8 and higher.

Workaround:

  • Customers should follow the guidance laid out in GEH-6839. The best practices described in that document limit the likelihood and impact of a wide variety of attacks.

Category

4.7
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.27%
Vendor Advisory ge.com
Affected: GE Gas Power WorkstationST
Published at:
Updated at:

References

Link Tags
https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2022-08-23_WorkstationST_Response_Splitting.pdf vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-37953?
CVE-2022-37953 has been scored as a medium severity vulnerability.
How to fix CVE-2022-37953?
To fix CVE-2022-37953: Upgrade to Workstation >= 7.09.15 which can be found in ControlST 7.09.07c SP8 and higher.
Is CVE-2022-37953 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-37953 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-37953?
CVE-2022-37953 affects GE Gas Power WorkstationST.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.