{"containers": {"cna": {"affected": [{"product": "AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update", "vendor": "ICS-CERT", "versions": [{"status": "affected", "version": "AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update"}]}], "datePublic": "2019-02-05T00:00:00", "descriptions": [{"lang": "en", "value": "AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-99", "description": "IMPROPER CONTROL OF RESOURCE IDENTIFIERS ('RESOURCE INJECTION') CWE-99", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-02-14T10:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01"}, {"name": "46342", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46342/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.tenable.com/security/research/tra-2019-04"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2019-02-05T00:00:00", "ID": "CVE-2019-6545", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update", "version": {"version_data": [{"version_value": "AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update"}]}}]}, "vendor_name": "ICS-CERT"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER CONTROL OF RESOURCE IDENTIFIERS ('RESOURCE INJECTION') CWE-99"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01"}, {"name": "46342", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46342/"}, {"name": "https://www.tenable.com/security/research/tra-2019-04", "refsource": "MISC", "url": "https://www.tenable.com/security/research/tra-2019-04"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-6545", "datePublished": "2019-02-05T00:00:00", "dateReserved": "2019-01-22T00:00:00", "dateUpdated": "2019-02-14T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:6.1:sp5:*:*:*:*:*:*", "matchCriteriaId": "4C7C2429-3A6B-4552-B12D-CBA00563907D", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:6.1:sp6_p3:*:*:*:*:*:*", "matchCriteriaId": "05020B8D-DB30-4BDA-9BD3-0C7C4804859B", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "55E9450D-F600-4DC6-8C72-8D79974B6802", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp1:*:*:*:*:*:*", "matchCriteriaId": "D2CB5BAC-BFCE-41C2-A25C-3E6CB218FBD6", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp2:*:*:*:*:*:*", "matchCriteriaId": "FBFEECD4-C454-4A47-9B81-91699C325DC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3:*:*:*:*:*:*", "matchCriteriaId": "A62CC412-F399-40B7-8000-A4A707F7F6F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p1:*:*:*:*:*:*", "matchCriteriaId": "127CC5C8-822A-4630-813E-5AE39BEBD5A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p2:*:*:*:*:*:*", "matchCriteriaId": "3D90DF6B-B281-48D3-8672-25294990E611", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p3:*:*:*:*:*:*", "matchCriteriaId": "8721C8BE-1946-4030-B056-67A6B42BCDCA", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p4:*:*:*:*:*:*", "matchCriteriaId": "C07C446B-6125-46D7-BDC4-11849BA6A72D", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p5:*:*:*:*:*:*", "matchCriteriaId": "8D4A9403-5D1E-464F-8B40-D554F4A7C3AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p6:*:*:*:*:*:*", "matchCriteriaId": "FDFC8512-2971-48C3-9576-0FA74B59406B", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p7:*:*:*:*:*:*", "matchCriteriaId": "D2991440-E8EB-4AB1-A861-2A263C443DEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p8:*:*:*:*:*:*", "matchCriteriaId": "23DA9BCB-F9BD-4F9F-A77E-95210C270539", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p9:*:*:*:*:*:*", "matchCriteriaId": "AD1C359C-61FA-4E5F-81CA-991BCB8CD9A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "D07A836A-535F-437E-BD25-1D833BD63327", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.0:p1:*:*:*:*:*:*", "matchCriteriaId": "AAD4BA73-691D-4E12-936C-7B0F0A0AFF0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.0:p2:*:*:*:*:*:*", "matchCriteriaId": "D515729F-9316-470F-8D18-34B674E8F5D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.0:p3:*:*:*:*:*:*", "matchCriteriaId": "542A2064-3D3D-4EF0-AEF5-3D8C45BD8CA6", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "3C282BFD-02D9-4F80-BBD9-B84B0703D07A", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp1_p1:*:*:*:*:*:*", "matchCriteriaId": "92E5DA1B-459C-44B2-9E0B-2B88C985DA98", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "186D0227-8791-44E0-8B80-2AE0427B69D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp2_p1:*:*:*:*:*:*", "matchCriteriaId": "DDA36D8C-6CE2-4C5B-A4E2-68031D97516D", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "F7B550C6-160F-480D-8B70-92C6D236C3EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.1:p1:*:*:*:*:*:*", "matchCriteriaId": "2C809DC5-73DC-4E00-ABAB-558844CE2103", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp1:*:*:*:*:*:*", "matchCriteriaId": "BC7F3AAD-E423-4CA2-BB78-AC7B081338D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp1_p1:*:*:*:*:*:*", "matchCriteriaId": "870D0F41-F2CE-4693-8815-5527A6E5ECD9", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp2:*:*:*:*:*:*", "matchCriteriaId": "CBA02828-7756-4F12-9F3A-DBBD20AFEAF7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aveva:intouch_machine_edition_2014:r2:*:*:*:*:*:*:*", "matchCriteriaId": "67AB4CF8-A2C6-4B0D-87EB-62617943F705", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine."}, {"lang": "es", "value": "InduSoft Web Studio, en versiones anteriores a la 8.1 SP3 e InTouch Edge HMI (anteriormente conocido como InTouch Machine Edition), en versiones anteriores a la 2017 Update, de AVEVA Software, LLC. Un usuario no autenticado remoto podr\u00eda emplear un archivo de configuraci\u00f3n de conexi\u00f3n a la base de datos especialmente manipulado para ejecutar un proceso arbitrario en la m\u00e1quina del servidor."}], "id": "CVE-2019-6545", "lastModified": "2023-01-31T21:04:33.740", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-13T01:29:00.367", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46342/"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/security/research/tra-2019-04"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-99"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

{}