CVE-2019-6545

AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01	Mitigation Third Party Advisory US Government Resource
https://www.exploit-db.com/exploits/46342/	Exploit Third Party Advisory VDB Entry
https://www.tenable.com/security/research/tra-2019-04	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:aveva:indusoft_web_studio:6.1:sp5::::::
	cpe:2.3:a:aveva:indusoft_web_studio:6.1:sp6_p3::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:::::::*
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp1::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp2::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p1::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p2::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p3::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p4::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p5::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p6::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p7::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p8::::::
	cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p9::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.0:::::::*
	cpe:2.3:a:aveva:indusoft_web_studio:8.0:p1::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.0:p2::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.0:p3::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp1::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp1_p1::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp2::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp2_p1::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.1:::::::*
	cpe:2.3:a:aveva:indusoft_web_studio:8.1:p1::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp1::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp1_p1::::::
	cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp2::::::

Configuration 2 (hide)

cpe:2.3:a:aveva:intouch_machine_edition_2014:r2:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-02-13 01:29

Updated : 2023-01-31 21:04

NVD link : CVE-2019-6545

Mitre link : CVE-2019-6545

CVE.ORG link : CVE-2019-6545

JSON object : View

Products Affected

aveva

indusoft_web_studio
intouch_machine_edition_2014

CWE

NVD-CWE-Other CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-6545

7.5^/10

5.0^/10

Attach tags to `CVE-2019-6545`