CVE-2019-7280 - OpenCVE

Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Primasystems	Flexair

Configuration 1 [-]

cpe:2.3:a:primasystems:flexair:*:*:*:*:*:*:*:*

References

Link	Resource
https://applied-risk.com/labs/advisories	Not Applicable Third Party Advisory
https://www.applied-risk.com/resources/ar-2019-007	Third Party Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-211-02	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-01T18:31:34

Updated: 2019-07-31T15:03:28

Reserved: 2019-01-31T00:00:00

Link: CVE-2019-7280

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-07-01T19:15:11.290

Modified: 2022-10-25T15:42:17.087

Link: CVE-2019-7280

JSON object: View

Redhat Information

No data.

CWE

CWE-613

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-31T15:03:28", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://applied-risk.com/labs/advisories"}, {"tags": ["x_refsource_MISC"], "url": "https://www.applied-risk.com/resources/ar-2019-007"}, {"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-211-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-7280", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://applied-risk.com/labs/advisories", "refsource": "MISC", "url": "https://applied-risk.com/labs/advisories"}, {"name": "https://www.applied-risk.com/resources/ar-2019-007", "refsource": "MISC", "url": "https://www.applied-risk.com/resources/ar-2019-007"}, {"name": "https://www.us-cert.gov/ics/advisories/icsa-19-211-02", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-211-02"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-7280", "datePublished": "2019-07-01T18:31:34", "dateReserved": "2019-01-31T00:00:00", "dateUpdated": "2019-07-31T15:03:28", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:primasystems:flexair:*:*:*:*:*:*:*:*", "matchCriteriaId": "175CBF56-BD66-48B3-A3AC-25B4FCD4F601", "versionEndIncluding": "2.3.38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session and bypass authentication."}, {"lang": "es", "value": "Prima Systems FlexAir, versiones 2.3.38 y anteriores. El ID de sesi\u00f3n tiene una longitud insuficiente y puede ser explotado por la fuerza bruta, lo que puede permitir que un atacante remoto obtenga una sesi\u00f3n v\u00e1lida y omita la autenticaci\u00f3n."}], "id": "CVE-2019-7280", "lastModified": "2022-10-25T15:42:17.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-01T19:15:11.290", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://applied-risk.com/labs/advisories"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.applied-risk.com/resources/ar-2019-007"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-211-02"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}