CVE-2019-6579

A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/107830	Third Party Advisory VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:siemens:spectrum_power_4:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-04-17 14:29

Updated : 2020-10-16 13:03

NVD link : CVE-2019-6579

Mitre link : CVE-2019-6579

CVE.ORG link : CVE-2019-6579

JSON object : View

Products Affected

siemens

spectrum_power_4

CWE

NVD-CWE-noinfo CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2019-6579", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-04-17T14:29:03.793", "references": [{"url": "http://www.securityfocus.com/bid/107830", "tags": ["Third Party Advisory", "VDB Entry"], "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-324467.pdf", "tags": ["Mitigation", "Vendor Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Spectrum Power 4 (with Web Office Portal). An attacker with network access to the web server on port 80/TCP or 443/TCP could execute system commands with administrative privileges. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected service. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises confidentiality, integrity or availability of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en Spectrum Power versi\u00f3n 4 (con Web Office Portal). Un atacante con acceso de red al servidor web en el puerto 80/TCP o 443/TCP podr\u00eda ejecutar comandos de sistema con privilegios administrativos. La vulnerabilidad de la seguridad podr\u00eda ser aprovechada por un atacante no identificado con acceso de red al servicio afectado. No es necesario la interacci\u00f3n del usuario para aprvechar esta vulnerabilidad de seguridad. La operaci\u00f3n exito de la vulnerabilidad de seguridad compromete la confidencialidad, integridad o disponibilidad del sistema destino. En el momento de la publicaci\u00f3n de asesoramiento, no se conoc\u00eda la operaci\u00f3n p\u00fablica de esta vulnerabilidad de seguridad."}], "lastModified": "2020-10-16T13:03:03.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:spectrum_power_4:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D40B786-1DB0-444A-86F5-C4C8785E1DE7"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}