CVE-2018-7835 - OpenCVE

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in IIoT Monitor 3.1.38 which could allow access to files available to SYSTEM user.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:C/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Iiot Monior

Configuration 1 [-]

cpe:2.3:a:schneider-electric:iiot_monior:3.1.38:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/106484	Third Party Advisory
https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2018-12-24T16:00:00

Updated: 2019-01-10T10:57:01

Reserved: 2018-03-08T00:00:00

Link: CVE-2018-7835

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-12-24T16:29:00.907

Modified: 2019-02-01T17:28:33.687

Link: CVE-2018-7835

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "IIoT Monitor 3.1.38", "vendor": "Schneider Electric SE", "versions": [{"status": "affected", "version": "IIoT Monitor 3.1.38"}]}], "datePublic": "2018-12-24T00:00:00", "descriptions": [{"lang": "en", "value": "An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in IIoT Monitor 3.1.38 which could allow access to files available to SYSTEM user."}], "problemTypes": [{"descriptions": [{"description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-10T10:57:01", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"name": "106484", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106484"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2018-7835", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "IIoT Monitor 3.1.38", "version": {"version_data": [{"version_value": "IIoT Monitor 3.1.38"}]}}]}, "vendor_name": "Schneider Electric SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in IIoT Monitor 3.1.38 which could allow access to files available to SYSTEM user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "106484", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106484"}, {"name": "https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03/", "refsource": "CONFIRM", "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03/"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2018-7835", "datePublished": "2018-12-24T16:00:00", "dateReserved": "2018-03-08T00:00:00", "dateUpdated": "2019-01-10T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:iiot_monior:3.1.38:*:*:*:*:*:*:*", "matchCriteriaId": "B2F8DD41-8532-4663-A759-82022E2CEF0A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in IIoT Monitor 3.1.38 which could allow access to files available to SYSTEM user."}, {"lang": "es", "value": "Existe una vulnerabilidad de limitaci\u00f3n incorrecta de un nombre de ruta en un directorio restringido (\"salto de directorio\") en IIoT Monitor 3.1.38, lo que podr\u00eda permitir el acceso a archivos disponibles para el usuario SYSTEM."}], "id": "CVE-2018-7835", "lastModified": "2019-02-01T17:28:33.687", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 7.8, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-12-24T16:29:00.907", "references": [{"source": "cybersecurity@se.com", "tags": ["Third Party Advisory"], "url": "http://www.securityfocus.com/bid/106484"}, {"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-354-03/"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}