CVE-2019-13525

In IP-AK2 Access Control Panel Version 1.04.07 and prior, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data, which can be accessed without authentication over the network.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.us-cert.gov/ics/advisories/icsa-19-297-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:h:honeywell:ip-ak2:-:*:*:*:*:*:*:*

cpe:2.3:o:honeywell:ip-ak2_firmware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-10-25 18:15

Updated : 2019-10-30 18:25

NVD link : CVE-2019-13525

Mitre link : CVE-2019-13525

CVE.ORG link : CVE-2019-13525

JSON object : View

Products Affected

honeywell

ip-ak2
ip-ak2_firmware

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2019-13525", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2019-10-25T18:15:10.723", "references": [{"url": "https://www.us-cert.gov/ics/advisories/icsa-19-297-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "In IP-AK2 Access Control Panel Version 1.04.07 and prior, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data, which can be accessed without authentication over the network."}, {"lang": "es", "value": "En IP-AK2 Access Control Panel Versi\u00f3n 1.04.07 y anteriores, el servidor web integrado de los dispositivos afectados podr\u00eda permitir a atacantes remotos obtener datos de configuraci\u00f3n web, que pueden ser accedidos sin autenticaci\u00f3n a trav\u00e9s de la red."}], "lastModified": "2019-10-30T18:25:15.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:honeywell:ip-ak2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BF3A8777-2F0B-4279-87A3-115CBEF2115E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:honeywell:ip-ak2_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "727BAD9E-1656-4276-B8DA-8508CD4D324B", "versionEndExcluding": "1.04.07"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}