CVE-2019-6834 - OpenCVE

A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0)

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Software Update

Configuration 1 [-]

cpe:2.3:a:schneider-electric:software_update:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.se.com/ww/en/download/document/SEVD-2019-225-06/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2022-03-28T16:25:19

Updated: 2022-03-28T16:25:19

Reserved: 2019-01-25T00:00:00

Link: CVE-2019-6834

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-13T16:15:09.100

Modified: 2022-04-20T18:28:07.910

Link: CVE-2019-6834

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"product": "Software Update (SESU) \u2013 SUT Service component", "vendor": "Schneider Electric", "versions": [{"lessThanOrEqual": "V2.3.0", "status": "affected", "version": "V2.1.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0)"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-28T16:25:19", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.se.com/ww/en/download/document/SEVD-2019-225-06/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2019-6834", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Software Update (SESU) \u2013 SUT Service component", "version": {"version_data": [{"version_affected": "<=", "version_name": "V2.1.1", "version_value": "V2.3.0"}]}}]}, "vendor_name": "Schneider Electric"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0)"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://www.se.com/ww/en/download/document/SEVD-2019-225-06/", "refsource": "MISC", "url": "https://www.se.com/ww/en/download/document/SEVD-2019-225-06/"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2019-6834", "datePublished": "2022-03-28T16:25:19", "dateReserved": "2019-01-25T00:00:00", "dateUpdated": "2022-03-28T16:25:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:software_update:*:*:*:*:*:*:*:*", "matchCriteriaId": "5266BDF0-1C54-4624-8E38-265F11F2E969", "versionEndIncluding": "2.3.0", "versionStartIncluding": "2.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0)"}, {"lang": "es", "value": "Una CWE-502: Se presenta una vulnerabilidad de Deserializaci\u00f3n de Datos no Confiables que podr\u00eda permitir a un atacante ejecutar c\u00f3digo arbitrario en el sistema objetivo con privilegios SYSTEM cuando es colocado un usuario malicioso para ser autenticado para que esta vulnerabilidad sea explotada con \u00e9xito. Producto afectado: Componente de servicio SUT de Schneider Electric Software Update (SESU) (versiones V2.1.1 a V2.3.0)"}], "id": "CVE-2019-6834", "lastModified": "2022-04-20T18:28:07.910", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "cybersecurity@se.com", "type": "Secondary"}]}, "published": "2022-04-13T16:15:09.100", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://www.se.com/ww/en/download/document/SEVD-2019-225-06/"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "cybersecurity@se.com", "type": "Primary"}]}