CVE-2019-16261 - OpenCVE

Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:P/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Tripplite	Pdumh15at Pdumh15at Firmware

Configuration 1 [-]

AND

cpe:2.3:o:tripplite:pdumh15at_firmware:12.04.0053:*:*:*:*:*:*:*

cpe:2.3:h:tripplite:pdumh15at:-:*:*:*:*:*:*:*

References

Link	Resource
https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-12T14:07:11

Updated: 2019-09-12T14:07:11

Reserved: 2019-09-12T00:00:00

Link: CVE-2019-16261

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-09-12T15:15:11.157

Modified: 2019-09-13T16:55:01.627

Link: CVE-2019-16261

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-12T14:07:11", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-16261", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits", "refsource": "MISC", "url": "https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-16261", "datePublished": "2019-09-12T14:07:11", "dateReserved": "2019-09-12T00:00:00", "dateUpdated": "2019-09-12T14:07:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tripplite:pdumh15at_firmware:12.04.0053:*:*:*:*:*:*:*", "matchCriteriaId": "C3D415AD-B58A-4B6C-A8BB-64B4AFF025CC", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tripplite:pdumh15at:-:*:*:*:*:*:*:*", "matchCriteriaId": "FBA0D9EE-D5FE-4C60-BEAE-228E34AC7FF9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Tripp Lite PDUMH15AT 12.04.0053 devices allow unauthenticated POST requests to the /Forms/ directory, as demonstrated by changing the manager or admin password, or shutting off power to an outlet. NOTE: the vendor's position is that a newer firmware version, fixing this vulnerability, had already been released before this vulnerability report about 12.04.0053."}, {"lang": "es", "value": "Dispositivos Tripp Lite PDUMH15AT versi\u00f3n 12.04.0053, permiten peticiones POST no autenticadas en el directorio /Forms/, como es demostrado al cambiar el administrador o la contrase\u00f1a de administrador, o al apagar la alimentaci\u00f3n a una toma de corriente. NOTA: la posici\u00f3n del proveedor es que una versi\u00f3n de firmware m\u00e1s nueva, que corrige esta vulnerabilidad, ya hab\u00eda sido publicado antes de este reporte de vulnerabilidad alrededor de la versi\u00f3n 12.04.0053."}], "id": "CVE-2019-16261", "lastModified": "2019-09-13T16:55:01.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 7.8, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-12T15:15:11.157", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}