CVE-2019-6836 - OpenCVE

A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow the file system to access the wrong file.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Meg6260-0410 Firmware Meg6260-0415 Firmware Meg6501-0002 Meg6260-0415 Meg6501-0002 Firmware Meg6501-0001 Firmware Meg6260-0410 Meg6501-0001

Configuration 1 [-]

AND

cpe:2.3:o:schneider-electric:meg6501-0001_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:schneider-electric:meg6501-0001:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:schneider-electric:meg6501-0002_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:schneider-electric:meg6501-0002:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:schneider-electric:meg6260-0410_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:schneider-electric:meg6260-0410:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:schneider-electric:meg6260-0415_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:schneider-electric:meg6260-0415:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.se.com/ww/en/download/document/SEVD-2019-253-01/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2019-09-17T19:14:36

Updated: 2021-04-16T21:47:42

Reserved: 2019-01-25T00:00:00

Link: CVE-2019-6836

JSON object: View

NVD Information

Status : Modified

Published: 2019-09-17T20:15:12.593

Modified: 2021-04-16T22:15:12.967

Link: CVE-2019-6836

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "U.motion Servers (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, and MEG6260-0415 - U.motion KNX Server Plus, Touch 1)", "vendor": "n/a", "versions": [{"status": "affected", "version": "U.motion Servers (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, and MEG6260-0415 - U.motion KNX Server Plus, Touch 1)"}]}], "descriptions": [{"lang": "en", "value": "A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow the file system to access the wrong file."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-16T21:47:42", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.se.com/ww/en/download/document/SEVD-2019-253-01/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2019-6836", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "U.motion Servers (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, and MEG6260-0415 - U.motion KNX Server Plus, Touch 1)", "version": {"version_data": [{"version_value": "U.motion Servers (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, and MEG6260-0415 - U.motion KNX Server Plus, Touch 1)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow the file system to access the wrong file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.se.com/ww/en/download/document/SEVD-2019-253-01/", "refsource": "MISC", "url": "https://www.se.com/ww/en/download/document/SEVD-2019-253-01/"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2019-6836", "datePublished": "2019-09-17T19:14:36", "dateReserved": "2019-01-25T00:00:00", "dateUpdated": "2021-04-16T21:47:42", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:meg6501-0001_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "716CA99C-BB90-422B-9EAD-A066D48DE1E8", "versionEndExcluding": "1.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:meg6501-0001:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB83620B-3DE0-405A-92F7-99E1B2150E75", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:meg6501-0002_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D2468D0-D50D-4843-8620-CAD0F40E9329", "versionEndExcluding": "1.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:meg6501-0002:-:*:*:*:*:*:*:*", "matchCriteriaId": "CC12A2AA-C006-4606-981A-FE54C1EA3B3F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:meg6260-0410_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB404224-29BF-4440-963C-0734A51CE6D1", "versionEndExcluding": "1.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:meg6260-0410:-:*:*:*:*:*:*:*", "matchCriteriaId": "0936523A-B9CB-451E-BF5E-9E7020DA96A2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:meg6260-0415_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C17C8F6-8C97-43D5-8ECE-7D9204F3C75D", "versionEndExcluding": "1.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:meg6260-0415:-:*:*:*:*:*:*:*", "matchCriteriaId": "F93C8296-5845-498A-964A-D650F45B27B6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A CWE-863: Incorrect Authorization vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow the file system to access the wrong file."}, {"lang": "es", "value": "Un Control de Acceso Incorrecto: Se presenta una vulnerabilidad CWE-863 en U.motion Server (MEG6501-0001 - U.motion KNX Server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), que podr\u00eda permitir que el sistema de archivos acceda al archivo incorrecto"}], "id": "CVE-2019-6836", "lastModified": "2021-04-16T22:15:12.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-17T20:15:12.593", "references": [{"source": "cybersecurity@se.com", "url": "https://www.se.com/ww/en/download/document/SEVD-2019-253-01/"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}