CVE-2019-6545

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2019-6545

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

A

VEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.

References
Link Resource
https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01 Mitigation Third Party Advisory US Government Resource
https://www.exploit-db.com/exploits/46342/ Exploit Third Party Advisory VDB Entry
https://www.tenable.com/security/research/tra-2019-04 Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01 Mitigation Third Party Advisory US Government Resource
https://www.exploit-db.com/exploits/46342/ Exploit Third Party Advisory VDB Entry
https://www.tenable.com/security/research/tra-2019-04 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:aveva:indusoft_web_studio:6.1:sp5:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:6.1:sp6_p3:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:*:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp1:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp2:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p1:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p2:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p3:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p4:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p5:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p6:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p7:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p8:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p9:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.0:*:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.0:p1:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.0:p2:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.0:p3:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp1:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp1_p1:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp2:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp2_p1:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.1:*:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.1:p1:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp1:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp1_p1:*:*:*:*:*:*
cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp2:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:aveva:intouch_machine_edition_2014:r2:*:*:*:*:*:*:*
History

21 Nov 2024, 04:46

Type Values Removed Values Added
References () https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01 - Mitigation, Third Party Advisory, US Government Resource () https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01 - Mitigation, Third Party Advisory, US Government Resource
References () https://www.exploit-db.com/exploits/46342/ - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/46342/ - Exploit, Third Party Advisory, VDB Entry
References () https://www.tenable.com/security/research/tra-2019-04 - Third Party Advisory () https://www.tenable.com/security/research/tra-2019-04 - Third Party Advisory
Information

Published : 2019-02-13 01:29

Updated : 2024-11-21 04:46

NVD link : CVE-2019-6545

Mitre link : CVE-2019-6545

CVE.ORG link : CVE-2019-6545

JSON object : View

Products Affected

aveva

CWE
CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

NVD-CWE-Other