Vulnerabilites related to Tridium - Niagara Framework
CVE-2025-3943 (GCVE-0-2025-3943)
Vulnerability from cvelistv5
Published
2025-05-22 12:42
Modified
2025-05-22 13:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-598 - Use of GET Request Method With Sensitive Query Strings
Summary
Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://honeywell.com/us/en/product-security#security-notices | vendor-advisory | |
| https://docs.niagara-community.com/category/tech_bull | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:19:00.551594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:19:08.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Network"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u0026nbsp;Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598 Use of GET Request Method With Sensitive Query Strings",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:42:13.893Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://honeywell.com/us/en/product-security#security-notices"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.niagara-community.com/category/tech_bull"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use of GET Request Method With sensitive Query Strings",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3943",
"datePublished": "2025-05-22T12:42:13.893Z",
"dateReserved": "2025-04-25T15:21:19.481Z",
"dateUpdated": "2025-05-22T13:19:08.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3945 (GCVE-0-2025-3945)
Vulnerability from cvelistv5
Published
2025-05-22 12:47
Modified
2025-05-22 13:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Summary
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows Command Delimiters. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://honeywell.com/us/en/product-security#security-notices | vendor-advisory | |
| https://docs.niagara-community.com/category/tech_bull | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3945",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:17:20.455610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:17:49.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"QNX"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"QNX"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Network"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027) vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows Command Delimiters. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u0026nbsp;Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"value": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027) vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows Command Delimiters. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-15",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-15 Command Delimiters"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:47:00.903Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://honeywell.com/us/en/product-security#security-notices"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.niagara-community.com/category/tech_bull"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Argument Delimiters in a Command (\u2018Argument Injection\u2019)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3945",
"datePublished": "2025-05-22T12:47:00.903Z",
"dateReserved": "2025-04-25T15:21:20.955Z",
"dateUpdated": "2025-05-22T13:17:49.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3940 (GCVE-0-2025-3940)
Vulnerability from cvelistv5
Published
2025-05-22 12:35
Modified
2025-05-22 14:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1173 - Improper Use of Validation Framework
Summary
Improper Use of Validation Framework vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://honeywell.com/us/en/product-security#security-notices | vendor-advisory | |
| https://docs.niagara-community.com/category/tech_bull | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:56:59.299523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T14:00:58.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Networks"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Use of Validation Framework vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u0026nbsp;Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"value": "Improper Use of Validation Framework vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1173",
"description": "CWE-1173 Improper Use of Validation Framework",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:48:54.098Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://honeywell.com/us/en/product-security#security-notices"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.niagara-community.com/category/tech_bull"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Use of Validation Framework",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3940",
"datePublished": "2025-05-22T12:35:14.174Z",
"dateReserved": "2025-04-25T15:21:17.262Z",
"dateUpdated": "2025-05-22T14:00:58.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3937 (GCVE-0-2025-3937)
Vulnerability from cvelistv5
Published
2025-05-22 12:23
Modified
2025-05-22 14:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-916 - Use of Password Hash With Insufficient Computational Effort
Summary
Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.niagara-community.com/category/tech_bull | vendor-advisory | |
| https://www.honeywell.com/us/en/product-security#security-notices | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T14:29:29.244650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T14:43:13.538Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Networks"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u0026nbsp;Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"value": "Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-97",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-97 Cryptanalysis"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:50:14.135Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.niagara-community.com/category/tech_bull"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.honeywell.com/us/en/product-security#security-notices"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use of Password Hash with Insufficient Computational Effort",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3937",
"datePublished": "2025-05-22T12:23:42.058Z",
"dateReserved": "2025-04-25T15:21:14.598Z",
"dateUpdated": "2025-05-22T14:43:13.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3936 (GCVE-0-2025-3936)
Vulnerability from cvelistv5
Published
2025-05-22 12:20
Modified
2025-05-22 17:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Summary
Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.niagara-community.com/category/tech_bull | vendor-advisory | |
| https://www.honeywell.com/us/en/product-security#security-notices | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T17:19:05.444995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:29:38.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Windows"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"Windows"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Networks"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u0026nbsp;Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.\u003cbr\u003e"
}
],
"value": "Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:50:32.521Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.niagara-community.com/category/tech_bull"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.honeywell.com/us/en/product-security#security-notices"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Permission Assignment for Critical Resource",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3936",
"datePublished": "2025-05-22T12:20:42.337Z",
"dateReserved": "2025-04-25T15:21:09.014Z",
"dateUpdated": "2025-05-22T17:29:38.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3938 (GCVE-0-2025-3938)
Vulnerability from cvelistv5
Published
2025-05-22 12:32
Modified
2025-05-22 14:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-325 - Missing Cryptographic Step
Summary
Missing Cryptographic Step vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.honeywell.com/us/en/product-security#security-notices | vendor-advisory | |
| https://docs.niagara-community.com/category/tech_bull | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3938",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T14:03:16.201132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T14:10:21.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Networks"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Cryptographic Step vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u0026nbsp;Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.\u003cbr\u003e"
}
],
"value": "Missing Cryptographic Step vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-97",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-97 Cryptanalysis"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-325",
"description": "CWE-325 Missing Cryptographic Step",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:49:32.299Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.honeywell.com/us/en/product-security#security-notices"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.niagara-community.com/category/tech_bull"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Cryptographic Step",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3938",
"datePublished": "2025-05-22T12:32:01.669Z",
"dateReserved": "2025-04-25T15:21:15.598Z",
"dateUpdated": "2025-05-22T14:10:21.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3941 (GCVE-0-2025-3941)
Vulnerability from cvelistv5
Published
2025-05-22 12:38
Modified
2025-05-22 13:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-69 - Improper Handling of Windows ::DATA Alternate Data Stream
Summary
Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.honeywell.com/us/en/product-security#security-notices | vendor-advisory | |
| https://docs.niagara-community.com/category/tech_bull | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:47:50.253374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:52:36.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Windows"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"Windows"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Networks"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"value": "Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-69",
"description": "CWE-69 Improper Handling of Windows ::DATA Alternate Data Stream",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:48:36.986Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.honeywell.com/us/en/product-security#security-notices"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.niagara-community.com/category/tech_bull"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Handling of Windows: DATA Alternate Data Stream",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3941",
"datePublished": "2025-05-22T12:38:15.750Z",
"dateReserved": "2025-04-25T15:21:18.048Z",
"dateUpdated": "2025-05-22T13:52:36.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3944 (GCVE-0-2025-3944)
Vulnerability from cvelistv5
Published
2025-05-22 12:44
Modified
2025-05-22 13:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Summary
Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows File Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.honeywell.com/us/en/product-security#security-notices | vendor-advisory | |
| https://docs.niagara-community.com/category/tech_bull | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:17:31.112109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:17:37.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"QNX"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"QNX"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Network"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows File Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u0026nbsp;Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"value": "Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows File Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-165",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-165 File Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:45:05.762Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.honeywell.com/us/en/product-security#security-notices"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.niagara-community.com/category/tech_bull"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Permission Assignment for Critical Resource",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3944",
"datePublished": "2025-05-22T12:44:55.511Z",
"dateReserved": "2025-04-25T15:21:20.179Z",
"dateUpdated": "2025-05-22T13:17:37.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3939 (GCVE-0-2025-3939)
Vulnerability from cvelistv5
Published
2025-05-22 12:33
Modified
2025-05-22 14:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-204 - Observable Response Discrepancy
Summary
Observable Response Discrepancy vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://honeywell.com/us/en/product-security#security-notices | vendor-advisory | |
| https://docs.niagara-community.com/category/tech_bull | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T14:01:37.287802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T14:02:22.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Networks"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Observable Response Discrepancy vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"value": "Observable Response Discrepancy vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-97",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-97 Cryptanalysis"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:49:10.315Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://honeywell.com/us/en/product-security#security-notices"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://docs.niagara-community.com/category/tech_bull"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Observable Response Discrepancy",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3939",
"datePublished": "2025-05-22T12:33:48.250Z",
"dateReserved": "2025-04-25T15:21:16.473Z",
"dateUpdated": "2025-05-22T14:02:22.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3942 (GCVE-0-2025-3942)
Vulnerability from cvelistv5
Published
2025-05-22 12:40
Modified
2025-05-22 13:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-117 - Improper Output Neutralization for Logs
Summary
Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.tridium.com/us/en/product-security | vendor-advisory | |
| https://www.honeywell.com/us/en/product-security#security-notices | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Tridium | Niagara Framework |
Version: 0 < 4.14.2 Version: 0 < 4.15.1 Version: 0 < 4.10.11 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:36:08.958420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:36:18.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Framework",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"Windows",
"Linux",
"QNX"
],
"product": "Niagara Enterprise Security",
"vendor": "Tridium",
"versions": [
{
"lessThan": "4.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Andrea Palanca and team at Nozomi Networks"
}
],
"datePublic": "2025-05-08T16:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u0026nbsp;Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"value": "Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.\u00a0Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T12:40:12.581Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tridium.com/us/en/product-security"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.honeywell.com/us/en/product-security#security-notices"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Output Neutralization for Logs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2025-3942",
"datePublished": "2025-05-22T12:40:12.581Z",
"dateReserved": "2025-04-25T15:21:18.791Z",
"dateUpdated": "2025-05-22T13:36:18.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
var-201207-0104
Vulnerability from variot
Directory traversal vulnerability in Tridium Niagara AX Framework allows remote attackers to read files outside of the intended images, nav, and px folders by leveraging incorrect permissions, as demonstrated by reading the config.bog file. The Niagara Framework is a unified, open, distributed platform that integrates the management of a wide variety of devices and systems. The Niagara Framework has an input validation vulnerability that allows an attacker to exploit a vulnerability for a directory traversal attack. The vulnerability is due to the fact that some of the unspecified input is missing validation before being used to read the file, and any file content can be obtained by submitting a malicious request. TRIDIUM NiagaraAX is prone to a directory-traversal vulnerability. Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide. Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends: http://secunia.com/psi
TITLE: Niagara Framework Directory Traversal Vulnerability
SECUNIA ADVISORY ID: SA49903
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49903/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49903
RELEASE DATE: 2012-07-16
DISCUSS ADVISORY: http://secunia.com/advisories/49903/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/49903/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49903
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: A vulnerability has been reported in Niagara Framework, which can be exploited by malicious people to disclose system information. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences.
SOLUTION: The vendor recommends to limit access to the affected systems.
PROVIDED AND/OR DISCOVERED BY: The vendor credits Billy Rios and Terry McCorkle via ICS-CERT.
ORIGINAL ADVISORY: https://www.tridium.com/galleries/briefings/NiagaraAX_Framework_Software_Security_Alert.pdf
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201207-0104",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "niagara ax",
"scope": "eq",
"trust": 1.0,
"vendor": "tridium",
"version": "*"
},
{
"model": "niagara ax framework",
"scope": null,
"trust": 0.8,
"vendor": "tridium",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.6,
"vendor": "no",
"version": null
},
{
"model": "niagara framework",
"scope": null,
"trust": 0.6,
"vendor": "tridium",
"version": null
},
{
"model": "niagra ax framework",
"scope": null,
"trust": 0.6,
"vendor": "tridium",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.4,
"vendor": "niagra ax framework",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"db": "CNVD",
"id": "CNVD-2012-3707"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003104"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-223"
},
{
"db": "NVD",
"id": "CVE-2012-4027"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:tridium:niagra_ax_framework",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2012-003104"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Billy Rios and Terry McCorkle",
"sources": [
{
"db": "BID",
"id": "54454"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-241"
}
],
"trust": 0.9
},
"cve": "CVE-2012-4027",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2012-4027",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2012-8527",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "ac874866-2353-11e6-abef-000c29c66e3d",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-57308",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2012-4027",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2012-4027",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2012-8527",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201207-223",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-57308",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"db": "VULHUB",
"id": "VHN-57308"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003104"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-223"
},
{
"db": "NVD",
"id": "CVE-2012-4027"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Directory traversal vulnerability in Tridium Niagara AX Framework allows remote attackers to read files outside of the intended images, nav, and px folders by leveraging incorrect permissions, as demonstrated by reading the config.bog file. The Niagara Framework is a unified, open, distributed platform that integrates the management of a wide variety of devices and systems. The Niagara Framework has an input validation vulnerability that allows an attacker to exploit a vulnerability for a directory traversal attack. The vulnerability is due to the fact that some of the unspecified input is missing validation before being used to read the file, and any file content can be obtained by submitting a malicious request. TRIDIUM NiagaraAX is prone to a directory-traversal vulnerability. \nRemote attackers can use specially crafted requests with directory-traversal sequences (\u0027../\u0027) to retrieve arbitrary files in the context of the application. \nExploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. ----------------------------------------------------------------------\n\nWe are millions! Join us to protect all Pc\u0027s Worldwide. \nDownload the new Secunia PSI 3.0 available in 5 languages and share it with your friends:\nhttp://secunia.com/psi\n\n----------------------------------------------------------------------\n\nTITLE:\nNiagara Framework Directory Traversal Vulnerability\n\nSECUNIA ADVISORY ID:\nSA49903\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/49903/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=49903\n\nRELEASE DATE:\n2012-07-16\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/49903/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/49903/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=49903\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nA vulnerability has been reported in Niagara Framework, which can be\nexploited by malicious people to disclose system information. This can be exploited to disclose the contents of\narbitrary files via directory traversal sequences. \n\nSOLUTION:\nThe vendor recommends to limit access to the affected systems. \n\nPROVIDED AND/OR DISCOVERED BY:\nThe vendor credits Billy Rios and Terry McCorkle via ICS-CERT. \n\nORIGINAL ADVISORY:\nhttps://www.tridium.com/galleries/briefings/NiagaraAX_Framework_Software_Security_Alert.pdf\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2012-4027"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003104"
},
{
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"db": "CNVD",
"id": "CNVD-2012-3707"
},
{
"db": "BID",
"id": "54454"
},
{
"db": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-57308"
},
{
"db": "PACKETSTORM",
"id": "114789"
}
],
"trust": 3.51
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2012-4027",
"trust": 3.9
},
{
"db": "BID",
"id": "54454",
"trust": 1.6
},
{
"db": "CNNVD",
"id": "CNNVD-201207-223",
"trust": 1.1
},
{
"db": "CNVD",
"id": "CNVD-2012-8527",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2012-3707",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003104",
"trust": 0.8
},
{
"db": "SECUNIA",
"id": "49903",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201207-241",
"trust": 0.6
},
{
"db": "IVD",
"id": "AC874866-2353-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "F999F736-1F5F-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "115639",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-57308",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "114789",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"db": "CNVD",
"id": "CNVD-2012-3707"
},
{
"db": "VULHUB",
"id": "VHN-57308"
},
{
"db": "BID",
"id": "54454"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003104"
},
{
"db": "PACKETSTORM",
"id": "114789"
},
{
"db": "PACKETSTORM",
"id": "115639"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-241"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-223"
},
{
"db": "NVD",
"id": "CVE-2012-4027"
}
]
},
"id": "VAR-201207-0104",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"db": "CNVD",
"id": "CNVD-2012-3707"
},
{
"db": "VULHUB",
"id": "VHN-57308"
}
],
"trust": 2.3955337733333333
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 1.6
}
],
"sources": [
{
"db": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"db": "CNVD",
"id": "CNVD-2012-3707"
}
]
},
"last_update_date": "2024-11-23T22:35:27.322000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Security Alert: Niagara AX(tm) Directory Traversal Remediation",
"trust": 0.8,
"url": "https://www.tridium.com/galleries/briefings/NiagaraAX_Framework_Software_Security_Alert.pdf"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2012-003104"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.0
},
{
"problemtype": "CWE-264",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-57308"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003104"
},
{
"db": "NVD",
"id": "CVE-2012-4027"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://www.tridium.com/galleries/briefings/niagaraax_framework_software_security_alert.pdf"
},
{
"trust": 1.7,
"url": "http://www.washingtonpost.com/investigations/tridiums-niagara-framework-marvel-of-connectivity-illustrates-new-cyber-risks/2012/07/11/gjqarjl6dw_story.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4027"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-4027"
},
{
"trust": 0.6,
"url": "http://web.nvd.nist.gov/view/vuln/search-results?query=cve-2012-4027"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/49903/https"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/54454"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=49903"
},
{
"trust": 0.1,
"url": "http://secunia.com/psi"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_intelligence/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/49903/#comments"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/49903/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-4028"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-3025"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-3024"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-4027"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"db": "CNVD",
"id": "CNVD-2012-3707"
},
{
"db": "VULHUB",
"id": "VHN-57308"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003104"
},
{
"db": "PACKETSTORM",
"id": "114789"
},
{
"db": "PACKETSTORM",
"id": "115639"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-241"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-223"
},
{
"db": "NVD",
"id": "CVE-2012-4027"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"db": "CNVD",
"id": "CNVD-2012-3707"
},
{
"db": "VULHUB",
"id": "VHN-57308"
},
{
"db": "BID",
"id": "54454"
},
{
"db": "JVNDB",
"id": "JVNDB-2012-003104"
},
{
"db": "PACKETSTORM",
"id": "114789"
},
{
"db": "PACKETSTORM",
"id": "115639"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-241"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-223"
},
{
"db": "NVD",
"id": "CVE-2012-4027"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2012-07-17T00:00:00",
"db": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d"
},
{
"date": "2012-07-18T00:00:00",
"db": "IVD",
"id": "f999f736-1f5f-11e6-abef-000c29c66e3d"
},
{
"date": "2012-07-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"date": "2012-07-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3707"
},
{
"date": "2012-07-16T00:00:00",
"db": "VULHUB",
"id": "VHN-57308"
},
{
"date": "2012-07-13T00:00:00",
"db": "BID",
"id": "54454"
},
{
"date": "2012-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2012-003104"
},
{
"date": "2012-07-17T01:30:18",
"db": "PACKETSTORM",
"id": "114789"
},
{
"date": "2012-08-17T03:33:48",
"db": "PACKETSTORM",
"id": "115639"
},
{
"date": "2012-07-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201207-241"
},
{
"date": "2012-07-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201207-223"
},
{
"date": "2012-07-16T20:55:04.957000",
"db": "NVD",
"id": "CVE-2012-4027"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2012-07-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"date": "2012-07-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2012-3707"
},
{
"date": "2012-07-17T00:00:00",
"db": "VULHUB",
"id": "VHN-57308"
},
{
"date": "2013-08-13T07:26:00",
"db": "BID",
"id": "54454"
},
{
"date": "2012-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2012-003104"
},
{
"date": "2012-07-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201207-241"
},
{
"date": "2023-03-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201207-223"
},
{
"date": "2024-11-21T01:42:04.297000",
"db": "NVD",
"id": "CVE-2012-4027"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201207-241"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-223"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Tridium Niagara AX Framework Directory Traversal Vulnerability",
"sources": [
{
"db": "IVD",
"id": "ac874866-2353-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2012-8527"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-223"
}
],
"trust": 1.4
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201207-241"
},
{
"db": "CNNVD",
"id": "CNNVD-201207-223"
}
],
"trust": 1.2
}
}
var-201808-0129
Vulnerability from variot
An attacker can log into the local Niagara platform (Niagara AX Framework Versions 3.8 and prior or Niagara 4 Framework Versions 4.4 and prior) using a disabled account name and a blank password, granting the attacker administrator access to the Niagara system. Niagara The platform contains authentication vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Tridium Niagara AX Framework and Niagara 4 Framework are both IoT business application frameworks from Tridium. Tridium Niagara is prone to directory-traversal vulnerability and authentication-bypass vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow an attacker to bypass authentication and perform unauthorized actions on the affected application, and to obtain sensitive information that could aid in further attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201808-0129",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "niagara",
"scope": "lte",
"trust": 1.8,
"vendor": "tridium",
"version": "4.4"
},
{
"model": "niagara ax framework",
"scope": "lte",
"trust": 1.8,
"vendor": "tridium",
"version": "3.8"
},
{
"model": "niagara ax framework",
"scope": "eq",
"trust": 0.9,
"vendor": "tridium",
"version": "3.8"
},
{
"model": "niagara ax framework",
"scope": "lte",
"trust": 0.6,
"vendor": "tridium",
"version": "\u003c=3.8"
},
{
"model": "niagara framework",
"scope": "eq",
"trust": 0.6,
"vendor": "tridium",
"version": "4\u003c=4.4"
},
{
"model": "niagara",
"scope": "eq",
"trust": 0.6,
"vendor": "tridium",
"version": "4.4"
},
{
"model": "framework",
"scope": "eq",
"trust": 0.3,
"vendor": "tridium",
"version": "44.4"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "niagara",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "niagara ax framework",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15732"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
},
{
"db": "NVD",
"id": "CVE-2017-16748"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:tridium:niagara",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:tridium:niagra_ax_framework",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Johnathan Gains and Leet Cyber Security.",
"sources": [
{
"db": "BID",
"id": "105101"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
}
],
"trust": 0.9
},
"cve": "CVE-2017-16748",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2017-16748",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 1.9,
"id": "CNVD-2018-15732",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 1.9,
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2017-16748",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-16748",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2017-16748",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2018-15732",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201808-569",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "IVD",
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1",
"trust": 0.2,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2017-16748",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15732"
},
{
"db": "VULMON",
"id": "CVE-2017-16748"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
},
{
"db": "NVD",
"id": "CVE-2017-16748"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An attacker can log into the local Niagara platform (Niagara AX Framework Versions 3.8 and prior or Niagara 4 Framework Versions 4.4 and prior) using a disabled account name and a blank password, granting the attacker administrator access to the Niagara system. Niagara The platform contains authentication vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Tridium Niagara AX Framework and Niagara 4 Framework are both IoT business application frameworks from Tridium. Tridium Niagara is prone to directory-traversal vulnerability and authentication-bypass vulnerability because the application fails to sufficiently sanitize user-supplied input. \nExploiting these issues may allow an attacker to bypass authentication and perform unauthorized actions on the affected application, and to obtain sensitive information that could aid in further attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-16748"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"db": "CNVD",
"id": "CNVD-2018-15732"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "IVD",
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1"
},
{
"db": "VULMON",
"id": "CVE-2017-16748"
}
],
"trust": 3.24
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-16748",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSA-18-191-03",
"trust": 3.4
},
{
"db": "ICS CERT",
"id": "ICSA-19-022-01",
"trust": 2.8
},
{
"db": "BID",
"id": "105101",
"trust": 2.0
},
{
"db": "CNVD",
"id": "CNVD-2018-15732",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201808-569",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009181",
"trust": 0.8
},
{
"db": "IVD",
"id": "E2F81210-39AB-11E9-AD51-000C29342CB1",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2017-16748",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15732"
},
{
"db": "VULMON",
"id": "CVE-2017-16748"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
},
{
"db": "NVD",
"id": "CVE-2017-16748"
}
]
},
"id": "VAR-201808-0129",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15732"
}
],
"trust": 1.52385621
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15732"
}
]
},
"last_update_date": "2024-11-23T22:06:39.490000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.tridium.com/"
},
{
"title": "Patch for Tridium Niagara AX Framework and Niagara 4 Framework Authentication Bypass Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/138005"
},
{
"title": "Tridium Niagara AX Framework and Niagara 4 Framework Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84155"
},
{
"title": "CVE-2017-16744-and-CVE-2017-16748-Tridium-Niagara",
"trust": 0.1,
"url": "https://github.com/GainSec/CVE-2017-16744-and-CVE-2017-16748-Tridium-Niagara "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/khulnasoft-labs/awesome-security "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15732"
},
{
"db": "VULMON",
"id": "CVE-2017-16748"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"db": "NVD",
"id": "CVE-2017-16748"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.4,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-18-191-03"
},
{
"trust": 2.9,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-19-022-01"
},
{
"trust": 2.3,
"url": "http://www.securityfocus.com/bid/105101"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16748"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-16748"
},
{
"trust": 0.3,
"url": "https://www.tridium.com/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/gainsec/cve-2017-16744-and-cve-2017-16748-tridium-niagara"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15732"
},
{
"db": "VULMON",
"id": "CVE-2017-16748"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
},
{
"db": "NVD",
"id": "CVE-2017-16748"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15732"
},
{
"db": "VULMON",
"id": "CVE-2017-16748"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
},
{
"db": "NVD",
"id": "CVE-2017-16748"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-21T00:00:00",
"db": "IVD",
"id": "e2f81210-39ab-11e9-ad51-000c29342cb1"
},
{
"date": "2018-08-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15732"
},
{
"date": "2018-08-20T00:00:00",
"db": "VULMON",
"id": "CVE-2017-16748"
},
{
"date": "2018-08-16T00:00:00",
"db": "BID",
"id": "105101"
},
{
"date": "2018-11-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"date": "2018-08-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201808-569"
},
{
"date": "2018-08-20T21:29:00.807000",
"db": "NVD",
"id": "CVE-2017-16748"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15732"
},
{
"date": "2019-04-03T00:00:00",
"db": "VULMON",
"id": "CVE-2017-16748"
},
{
"date": "2019-01-23T07:00:00",
"db": "BID",
"id": "105101"
},
{
"date": "2019-01-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-009181"
},
{
"date": "2019-04-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201808-569"
},
{
"date": "2024-11-21T03:16:53.670000",
"db": "NVD",
"id": "CVE-2017-16748"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Niagara Authentication vulnerabilities in the platform",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-009181"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201808-569"
}
],
"trust": 0.6
}
}
var-201808-0077
Vulnerability from variot
A path traversal vulnerability in Tridium Niagara AX Versions 3.8 and prior and Niagara 4 systems Versions 4.4 and prior installed on Microsoft Windows Systems can be exploited by leveraging valid platform (administrator) credentials. Tridium Niagara AX Framework and Niagara 4 Framework are both IoT business application frameworks from Tridium. The vulnerability stems from the program's insufficient filtering of user-submitted input. A remote attacker could use this vulnerability to obtain sensitive information with valid platform administrator credentials. Tridium Niagara is prone to directory-traversal vulnerability and authentication-bypass vulnerability because the application fails to sufficiently sanitize user-supplied input
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201808-0077",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "niagara ax framework",
"scope": "lte",
"trust": 1.8,
"vendor": "tridium",
"version": "3.8"
},
{
"model": "niagara",
"scope": "gte",
"trust": 1.0,
"vendor": "tridium",
"version": "4.0"
},
{
"model": "niagara",
"scope": "lte",
"trust": 1.0,
"vendor": "tridium",
"version": "4.4"
},
{
"model": "niagara ax framework",
"scope": "eq",
"trust": 0.9,
"vendor": "tridium",
"version": "3.8"
},
{
"model": "niagara",
"scope": "lte",
"trust": 0.8,
"vendor": "tridium",
"version": "4 systems 4.4"
},
{
"model": "niagara ax framework",
"scope": "lte",
"trust": 0.6,
"vendor": "tridium",
"version": "\u003c=3.8"
},
{
"model": "niagara framework",
"scope": "eq",
"trust": 0.6,
"vendor": "tridium",
"version": "4\u003c=4.4"
},
{
"model": "niagara",
"scope": "eq",
"trust": 0.6,
"vendor": "tridium",
"version": "4.2"
},
{
"model": "niagara",
"scope": "eq",
"trust": 0.6,
"vendor": "tridium",
"version": "4.4"
},
{
"model": "niagara",
"scope": "eq",
"trust": 0.6,
"vendor": "tridium",
"version": "4.0"
},
{
"model": "niagara",
"scope": "eq",
"trust": 0.6,
"vendor": "tridium",
"version": "4.3"
},
{
"model": "niagara",
"scope": "eq",
"trust": 0.6,
"vendor": "tridium",
"version": "4.1"
},
{
"model": "framework",
"scope": "eq",
"trust": 0.3,
"vendor": "tridium",
"version": "44.4"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "niagara",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "niagara ax framework",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
},
{
"db": "NVD",
"id": "CVE-2017-16744"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:tridium:niagara",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:tridium:niagra_ax_framework",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-014181"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Johnathan Gains and Leet Cyber Security.",
"sources": [
{
"db": "BID",
"id": "105101"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
}
],
"trust": 0.9
},
"cve": "CVE-2017-16744",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2017-16744",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 4.9,
"id": "CNVD-2018-15731",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 4.9,
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.2,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.2,
"id": "CVE-2017-16744",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-16744",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2017-16744",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2018-15731",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201808-568",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1",
"trust": 0.2,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2017-16744",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"db": "VULMON",
"id": "CVE-2017-16744"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
},
{
"db": "NVD",
"id": "CVE-2017-16744"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A path traversal vulnerability in Tridium Niagara AX Versions 3.8 and prior and Niagara 4 systems Versions 4.4 and prior installed on Microsoft Windows Systems can be exploited by leveraging valid platform (administrator) credentials. Tridium Niagara AX Framework and Niagara 4 Framework are both IoT business application frameworks from Tridium. The vulnerability stems from the program\u0027s insufficient filtering of user-submitted input. A remote attacker could use this vulnerability to obtain sensitive information with valid platform administrator credentials. Tridium Niagara is prone to directory-traversal vulnerability and authentication-bypass vulnerability because the application fails to sufficiently sanitize user-supplied input",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-16744"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1"
},
{
"db": "VULMON",
"id": "CVE-2017-16744"
}
],
"trust": 3.24
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-16744",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSA-18-191-03",
"trust": 3.4
},
{
"db": "ICS CERT",
"id": "ICSA-19-022-01",
"trust": 2.8
},
{
"db": "BID",
"id": "105101",
"trust": 2.0
},
{
"db": "CNVD",
"id": "CNVD-2018-15731",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014181",
"trust": 0.8
},
{
"db": "IVD",
"id": "E2F8391E-39AB-11E9-8682-000C29342CB1",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2017-16744",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"db": "VULMON",
"id": "CVE-2017-16744"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
},
{
"db": "NVD",
"id": "CVE-2017-16744"
}
]
},
"id": "VAR-201808-0077",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15731"
}
],
"trust": 1.52385621
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15731"
}
]
},
"last_update_date": "2024-11-23T22:06:39.529000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "New Security Update Releases for Niagara AX and Niagara 4",
"trust": 0.8,
"url": "https://www.tridium.com/~/media/tridium/library/documents/niagara%20ax%2038%20update%204niagara%2044%20update%201.ashx?la=en"
},
{
"title": "Patch for Tridium Niagara AX Framework and Niagara 4 Framework Path Traversal Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/138001"
},
{
"title": "Tridium Niagara AX Framework and Niagara 4 Framework Repair measures for path traversal vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84154"
},
{
"title": "CVE-2017-16744-and-CVE-2017-16748-Tridium-Niagara",
"trust": 0.1,
"url": "https://github.com/GainSec/CVE-2017-16744-and-CVE-2017-16748-Tridium-Niagara "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/khulnasoft-labs/awesome-security "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"db": "VULMON",
"id": "CVE-2017-16744"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"db": "NVD",
"id": "CVE-2017-16744"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.4,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-18-191-03"
},
{
"trust": 2.9,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-19-022-01"
},
{
"trust": 2.3,
"url": "http://www.securityfocus.com/bid/105101"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16744"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-16744"
},
{
"trust": 0.3,
"url": "https://www.tridium.com/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.1,
"url": "https://github.com/gainsec/cve-2017-16744-and-cve-2017-16748-tridium-niagara"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"db": "VULMON",
"id": "CVE-2017-16744"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
},
{
"db": "NVD",
"id": "CVE-2017-16744"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"db": "VULMON",
"id": "CVE-2017-16744"
},
{
"db": "BID",
"id": "105101"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
},
{
"db": "NVD",
"id": "CVE-2017-16744"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-21T00:00:00",
"db": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1"
},
{
"date": "2018-08-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"date": "2018-08-20T00:00:00",
"db": "VULMON",
"id": "CVE-2017-16744"
},
{
"date": "2018-08-16T00:00:00",
"db": "BID",
"id": "105101"
},
{
"date": "2018-11-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"date": "2018-08-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201808-568"
},
{
"date": "2018-08-20T21:29:00.683000",
"db": "NVD",
"id": "CVE-2017-16744"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"date": "2019-04-03T00:00:00",
"db": "VULMON",
"id": "CVE-2017-16744"
},
{
"date": "2019-01-23T07:00:00",
"db": "BID",
"id": "105101"
},
{
"date": "2019-01-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-014181"
},
{
"date": "2019-04-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201808-568"
},
{
"date": "2024-11-21T03:16:53.327000",
"db": "NVD",
"id": "CVE-2017-16744"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Tridium Niagara AX Framework and Niagara 4 Framework Path Traversal Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15731"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Path traversal",
"sources": [
{
"db": "IVD",
"id": "e2f8391e-39ab-11e9-8682-000c29342cb1"
},
{
"db": "CNNVD",
"id": "CNNVD-201808-568"
}
],
"trust": 0.8
}
}