CVE-2019-13528 - OpenCVE

A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10).

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Tridium	Niagara Ax Jace-8000 Niagara4 Jace 7 Edge 10 Jace 6e Jace 3e

Configuration 1 [-]

AND

cpe:2.3:o:tridium:niagara_ax:3.8u4:*:*:*:*:*:*:*

OR	cpe:2.3:h:tridium:jace-8000:-:::::::*
	cpe:2.3:h:tridium:jace_3e:-:::::::*
	cpe:2.3:h:tridium:jace_6e:-:::::::*
	cpe:2.3:h:tridium:jace_7:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:o:tridium:niagara4:4.4u3:*:*:*:*:*:*:*

OR	cpe:2.3:h:tridium:jace-8000:-:::::::*
	cpe:2.3:h:tridium:jace_3e:-:::::::*
	cpe:2.3:h:tridium:jace_6e:-:::::::*
	cpe:2.3:h:tridium:jace_7:-:::::::*

Configuration 3 [-]

AND

cpe:2.3:o:tridium:niagara4:4.7u1:*:*:*:*:*:*:*

OR	cpe:2.3:h:tridium:edge_10:-:::::::*
	cpe:2.3:h:tridium:jace-8000:-:::::::*

References

Link	Resource
https://www.us-cert.gov/ics/advisories/icsa-19-262-01	Mitigation Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2019-09-24T21:23:48

Updated: 2019-09-24T21:23:48

Reserved: 2019-07-11T00:00:00

Link: CVE-2019-13528

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-09-24T22:15:13.013

Modified: 2020-10-16T13:18:24.897

Link: CVE-2019-13528

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Niagara", "vendor": "n/a", "versions": [{"status": "affected", "version": "Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.7u1 (JACE-8000, Edge 10)"}]}], "descriptions": [{"lang": "en", "value": "A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10)."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "Improper Authorization CWE-285", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-09-24T21:23:48", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-262-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-13528", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Niagara", "version": {"version_data": [{"version_value": "Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.7u1 (JACE-8000, Edge 10)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Authorization CWE-285"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsa-19-262-01", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-262-01"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-13528", "datePublished": "2019-09-24T21:23:48", "dateReserved": "2019-07-11T00:00:00", "dateUpdated": "2019-09-24T21:23:48", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tridium:niagara_ax:3.8u4:*:*:*:*:*:*:*", "matchCriteriaId": "7E3FFCA6-9C70-46B2-B301-9E54163DE7FA", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tridium:jace-8000:-:*:*:*:*:*:*:*", "matchCriteriaId": "A304E3B0-A005-4836-BFB1-BEA0A69B9AF9", "vulnerable": false}, {"criteria": "cpe:2.3:h:tridium:jace_3e:-:*:*:*:*:*:*:*", "matchCriteriaId": "D91A8C9E-5518-4B2A-96AE-05628ED849EE", "vulnerable": false}, {"criteria": "cpe:2.3:h:tridium:jace_6e:-:*:*:*:*:*:*:*", "matchCriteriaId": "4DABBF93-0228-4927-AEC1-6821418C11A4", "vulnerable": false}, {"criteria": "cpe:2.3:h:tridium:jace_7:-:*:*:*:*:*:*:*", "matchCriteriaId": "34DF5C59-6D29-42B0-97E0-BDFA15B2490F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tridium:niagara4:4.4u3:*:*:*:*:*:*:*", "matchCriteriaId": "A8765AEE-0827-4598-BBA8-B8AEE2D646E2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tridium:jace-8000:-:*:*:*:*:*:*:*", "matchCriteriaId": "A304E3B0-A005-4836-BFB1-BEA0A69B9AF9", "vulnerable": false}, {"criteria": "cpe:2.3:h:tridium:jace_3e:-:*:*:*:*:*:*:*", "matchCriteriaId": "D91A8C9E-5518-4B2A-96AE-05628ED849EE", "vulnerable": false}, {"criteria": "cpe:2.3:h:tridium:jace_6e:-:*:*:*:*:*:*:*", "matchCriteriaId": "4DABBF93-0228-4927-AEC1-6821418C11A4", "vulnerable": false}, {"criteria": "cpe:2.3:h:tridium:jace_7:-:*:*:*:*:*:*:*", "matchCriteriaId": "34DF5C59-6D29-42B0-97E0-BDFA15B2490F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tridium:niagara4:4.7u1:*:*:*:*:*:*:*", "matchCriteriaId": "79445A77-1EE1-4066-8FBA-2F577DA597C0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tridium:edge_10:-:*:*:*:*:*:*:*", "matchCriteriaId": "C7BEB9A8-CA51-405D-958B-83EC76FDC3BF", "vulnerable": false}, {"criteria": "cpe:2.3:h:tridium:jace-8000:-:*:*:*:*:*:*:*", "matchCriteriaId": "A304E3B0-A005-4836-BFB1-BEA0A69B9AF9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10)."}, {"lang": "es", "value": "Una utilidad espec\u00edfica puede permitir a un atacante conseguir acceso de lectura para archivos privilegiados en Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE- 8000) y Niagara 4.7u1 (JACE-8000, Edge 10)."}], "id": "CVE-2019-13528", "lastModified": "2020-10-16T13:18:24.897", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-24T22:15:13.013", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-262-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}