CVE-2018-7495 - OpenCVE

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an external control of file name or path vulnerability has been identified, which may allow an attacker to delete files.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Advantech	Webaccess Scada Webaccess Dashboard Webaccess Webaccess\/nms

Configuration 1 [-]

cpe:2.3:a:advantech:webaccess:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:advantech:webaccess:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:advantech:webaccess_dashboard:*:*:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:a:advantech:webaccess_scada:*:*:*:*:*:*:*:*

Configuration 5 [-]

cpe:2.3:a:advantech:webaccess\/nms:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/104190	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-135-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2018-05-15T00:00:00

Updated: 2018-05-17T09:57:01

Reserved: 2018-02-26T00:00:00

Link: CVE-2018-7495

JSON object: View

NVD Information

Status : Modified

Published: 2018-05-15T22:29:00.410

Modified: 2019-10-09T23:42:19.300

Link: CVE-2018-7495

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "WebAccess", "vendor": "Advantech", "versions": [{"status": "affected", "version": "WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, WebAccess/NMS 2.0.3 and prior."}]}], "datePublic": "2018-05-15T00:00:00", "descriptions": [{"lang": "en", "value": "In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an external control of file name or path vulnerability has been identified, which may allow an attacker to delete files."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "description": "EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-17T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "104190", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104190"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-135-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2018-05-15T00:00:00", "ID": "CVE-2018-7495", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WebAccess", "version": {"version_data": [{"version_value": "WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, WebAccess/NMS 2.0.3 and prior."}]}}]}, "vendor_name": "Advantech"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an external control of file name or path vulnerability has been identified, which may allow an attacker to delete files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73"}]}]}, "references": {"reference_data": [{"name": "104190", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104190"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-135-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-135-01"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2018-7495", "datePublished": "2018-05-15T00:00:00", "dateReserved": "2018-02-26T00:00:00", "dateUpdated": "2018-05-17T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advantech:webaccess:*:*:*:*:*:*:*:*", "matchCriteriaId": "61F777E3-FB93-442A-B830-C5494C0AD4CD", "versionEndIncluding": "8.2_20170817", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advantech:webaccess:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9C26F1B-CD68-40F2-9EE3-C03A8EAC5573", "versionEndIncluding": "8.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advantech:webaccess_dashboard:*:*:*:*:*:*:*:*", "matchCriteriaId": "F99D565D-82AE-4205-BE99-2C5918A4A91B", "versionEndIncluding": "2.0.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advantech:webaccess_scada:*:*:*:*:*:*:*:*", "matchCriteriaId": "1196D390-998B-4A43-BFEC-6505835D71A3", "versionEndExcluding": "8.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advantech:webaccess\\/nms:*:*:*:*:*:*:*:*", "matchCriteriaId": "06E2B0CD-1C2D-4F73-8943-5A621D702FDD", "versionEndIncluding": "2.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an external control of file name or path vulnerability has been identified, which may allow an attacker to delete files."}, {"lang": "es", "value": "En Advantech WebAccess en versiones V8.2_20170817 y anteriores, WebAccess en versiones V8.3.0 y anteriores, WebAccess Dashboard en versiones V.2.0.15 y anteriores, WebAccess Scada Node en versiones anteriores a la 8.3.1 y WebAccess/NMS 2.0.3 y anteriores, se ha identificado una vulnerabilidad de control externo del nombre de archivo o ruta que podr\u00eda permitir que un atacante elimine archivos."}], "id": "CVE-2018-7495", "lastModified": "2019-10-09T23:42:19.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-15T22:29:00.410", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104190"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-135-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-73"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}