var-201902-0132
Vulnerability from variot
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine. InduSoft Web Studio and InTouch Edge HMI Contains a resource insertion vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AVEVA Group plc InduSoft Web Studio and InTouch Edge HMI are products of UK AVEVA Group plc. InduSoft Web Studio is a set of industrial configuration software. InTouch Edge HMI is a scalable HMI application. Attackers can exploit these issues to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": null,
"scope": "eq",
"trust": 2.6,
"vendor": "indusoft web studio",
"version": "7.1"
},
{
"_id": null,
"model": null,
"scope": "eq",
"trust": 1.6,
"vendor": "indusoft web studio",
"version": "8.0"
},
{
"_id": null,
"model": null,
"scope": "eq",
"trust": 1.0,
"vendor": "indusoft web studio",
"version": "8.1"
},
{
"_id": null,
"model": "indusoft web studio",
"scope": "eq",
"trust": 1.0,
"vendor": "aveva",
"version": "7.1"
},
{
"_id": null,
"model": "indusoft web studio",
"scope": "eq",
"trust": 1.0,
"vendor": "aveva",
"version": "6.1"
},
{
"_id": null,
"model": "indusoft web studio",
"scope": "eq",
"trust": 1.0,
"vendor": "aveva",
"version": "8.0"
},
{
"_id": null,
"model": "intouch machine edition 2014",
"scope": "eq",
"trust": 1.0,
"vendor": "aveva",
"version": "r2"
},
{
"_id": null,
"model": "indusoft web studio",
"scope": "eq",
"trust": 1.0,
"vendor": "aveva",
"version": "8.1"
},
{
"_id": null,
"model": "indusoft web studio",
"scope": "lt",
"trust": 0.8,
"vendor": "aveva",
"version": "8.1 sp3"
},
{
"_id": null,
"model": "intouch machine edition 2017",
"scope": "lt",
"trust": 0.8,
"vendor": "aveva",
"version": "2017 update"
},
{
"_id": null,
"model": "group plc indusoft web studio||intouch edge hmi update",
"scope": "lt",
"trust": 0.6,
"vendor": "aveva",
"version": "2017"
},
{
"_id": null,
"model": "group plc indusoft web studio||intouch edge hmi sp3",
"scope": "lt",
"trust": 0.6,
"vendor": "aveva",
"version": "8.1"
},
{
"_id": null,
"model": null,
"scope": "eq",
"trust": 0.4,
"vendor": "indusoft web studio",
"version": "6.1"
},
{
"_id": null,
"model": "intouch edge hmi",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "2017"
},
{
"_id": null,
"model": "indusoft web studio sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "8.1"
},
{
"_id": null,
"model": "indusoft web studio sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "8.1"
},
{
"_id": null,
"model": "indusoft web studio",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "8.1"
},
{
"_id": null,
"model": "indusoft web studio sp2 patch",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "8.01"
},
{
"_id": null,
"model": "indusoft web studio sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "8.0"
},
{
"_id": null,
"model": "indusoft web studio patch",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "7.1.3.55"
},
{
"_id": null,
"model": "indusoft web studio sp patch",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "7.1.3.434"
},
{
"_id": null,
"model": "indusoft web studio",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "7.1.3.4"
},
{
"_id": null,
"model": "indusoft web studio",
"scope": "eq",
"trust": 0.3,
"vendor": "schneider electric",
"version": "7.1.3.2"
},
{
"_id": null,
"model": "indusoft web studio sp3",
"scope": "ne",
"trust": 0.3,
"vendor": "schneider electric",
"version": "8.1"
},
{
"_id": null,
"model": "r2",
"scope": null,
"trust": 0.2,
"vendor": "intouch machine edition 2014",
"version": null
}
],
"sources": [
{
"db": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76"
},
{
"db": "CNVD",
"id": "CNVD-2019-43392"
},
{
"db": "BID",
"id": "107144"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-001341"
},
{
"db": "NVD",
"id": "CVE-2019-6545"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:aveva:indusoft_web_studio",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:aveva:intouch_machine",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-001341"
}
]
},
"credits": {
"_id": null,
"data": "Tenable Research",
"sources": [
{
"db": "BID",
"id": "107144"
}
],
"trust": 0.3
},
"cve": "CVE-2019-6545",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2019-6545",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2019-6545",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-43392",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2019-6545",
"impactScore": 3.6,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-6545",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-6545",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2019-6545",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2019-43392",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201902-532",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76",
"trust": 0.2,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2019-6545",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76"
},
{
"db": "CNVD",
"id": "CNVD-2019-43392"
},
{
"db": "VULMON",
"id": "CVE-2019-6545"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-001341"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-532"
},
{
"db": "NVD",
"id": "CVE-2019-6545"
}
]
},
"description": {
"_id": null,
"data": "AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine. InduSoft Web Studio and InTouch Edge HMI Contains a resource insertion vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AVEVA Group plc InduSoft Web Studio and InTouch Edge HMI are products of UK AVEVA Group plc. InduSoft Web Studio is a set of industrial configuration software. InTouch Edge HMI is a scalable HMI application. \nAttackers can exploit these issues to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-6545"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-001341"
},
{
"db": "CNVD",
"id": "CNVD-2019-43392"
},
{
"db": "BID",
"id": "107144"
},
{
"db": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76"
},
{
"db": "VULMON",
"id": "CVE-2019-6545"
}
],
"trust": 2.7
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2019-6545",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSA-19-036-01",
"trust": 2.8
},
{
"db": "EXPLOIT-DB",
"id": "46342",
"trust": 2.0
},
{
"db": "TENABLE",
"id": "TRA-2019-04",
"trust": 1.7
},
{
"db": "CNVD",
"id": "CNVD-2019-43392",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201902-532",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2019-001341",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2019.0344",
"trust": 0.6
},
{
"db": "BID",
"id": "107144",
"trust": 0.3
},
{
"db": "IVD",
"id": "7332E08B-7B29-4949-B5BA-8EE4BD8FCA76",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "151602",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2019-6545",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76"
},
{
"db": "CNVD",
"id": "CNVD-2019-43392"
},
{
"db": "VULMON",
"id": "CVE-2019-6545"
},
{
"db": "BID",
"id": "107144"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-001341"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-532"
},
{
"db": "NVD",
"id": "CVE-2019-6545"
}
]
},
"id": "VAR-201902-0132",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76"
},
{
"db": "CNVD",
"id": "CNVD-2019-43392"
}
],
"trust": 1.5524224666666666
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76"
},
{
"db": "CNVD",
"id": "CNVD-2019-43392"
}
]
},
"last_update_date": "2024-11-23T22:17:08.185000Z",
"patch": {
"_id": null,
"data": [
{
"title": "AVEVA Security Bulletin LFSEC00000133",
"trust": 0.8,
"url": "https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec133.pdf?hsLang=en"
},
{
"title": "Patch for AVEVA Group plc InduSoft Web Studio and InTouch Edge HMI have an unknown vulnerability (CNVD-2019-43392)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/192859"
},
{
"title": "AVEVA Group plc InduSoft Web Studio and InTouch Edge HMI Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=89343"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-43392"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-001341"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-532"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-99",
"trust": 1.8
},
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-001341"
},
{
"db": "NVD",
"id": "CVE-2019-6545"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 3.5,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-19-036-01"
},
{
"trust": 1.7,
"url": "https://www.tenable.com/security/research/tra-2019-04"
},
{
"trust": 1.7,
"url": "https://www.exploit-db.com/exploits/46342/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-6545"
},
{
"trust": 0.9,
"url": "https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/securitybulletin_lfsec133.pdf?hslang=en"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6545"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/75070"
},
{
"trust": 0.3,
"url": "http://www.indusoft.com/products-downloads"
},
{
"trust": 0.3,
"url": "https://industrial-software.com/training-support/downloads-by-product/intouch-machine-edition"
},
{
"trust": 0.3,
"url": "https://www.exploit-db.com/exploits/46342"
},
{
"trust": 0.3,
"url": "http://www.indusoft.com/indusoftart.php?catid=1\u0026name=iws/webstudio"
},
{
"trust": 0.3,
"url": "http://www.indusoft.com/products-downloads/download-library/current-release-notes"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/99.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/151602/indusoft-web-studio-8.1-sp2-remote-code-execution.html"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-43392"
},
{
"db": "VULMON",
"id": "CVE-2019-6545"
},
{
"db": "BID",
"id": "107144"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-001341"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-532"
},
{
"db": "NVD",
"id": "CVE-2019-6545"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76",
"ident": null
},
{
"db": "CNVD",
"id": "CNVD-2019-43392",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2019-6545",
"ident": null
},
{
"db": "BID",
"id": "107144",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2019-001341",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201902-532",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2019-6545",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2019-12-03T00:00:00",
"db": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76",
"ident": null
},
{
"date": "2019-12-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-43392",
"ident": null
},
{
"date": "2019-02-13T00:00:00",
"db": "VULMON",
"id": "CVE-2019-6545",
"ident": null
},
{
"date": "2019-02-05T00:00:00",
"db": "BID",
"id": "107144",
"ident": null
},
{
"date": "2019-02-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-001341",
"ident": null
},
{
"date": "2019-02-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-532",
"ident": null
},
{
"date": "2019-02-13T01:29:00.367000",
"db": "NVD",
"id": "CVE-2019-6545",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2019-12-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-43392",
"ident": null
},
{
"date": "2019-10-09T00:00:00",
"db": "VULMON",
"id": "CVE-2019-6545",
"ident": null
},
{
"date": "2019-02-05T00:00:00",
"db": "BID",
"id": "107144",
"ident": null
},
{
"date": "2019-02-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-001341",
"ident": null
},
{
"date": "2023-02-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-532",
"ident": null
},
{
"date": "2024-11-21T04:46:40.100000",
"db": "NVD",
"id": "CVE-2019-6545",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-532"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "InduSoft Web Studio and InTouch Edge HMI Vulnerable to resource insertion",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-001341"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "other",
"sources": [
{
"db": "IVD",
"id": "7332e08b-7b29-4949-b5ba-8ee4bd8fca76"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-532"
}
],
"trust": 0.8
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.