cvelistv5 - CVE-2019-6554

CVE-2019-6554 (GCVE-0-2019-6554)

Vulnerability from cvelistv5

Published

2019-04-05 18:15

Modified

2024-08-04 20:23

Severity ?

CWE

CWE-284 - IMPROPER ACCESS CONTROL

Summary

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.

References

URL

	Vendor	Product	Version
	Advantech	WebAccess/SCADA	Version: Versions 8.3.5 and prior.

gsd-2019-6554

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.

Aliases

CVE-2019-6554

Aliases

CVE-2019-6554

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-6554",
    "description": "Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.",
    "id": "GSD-2019-6554"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-6554"
      ],
      "details": "Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.",
      "id": "GSD-2019-6554",
      "modified": "2023-12-13T01:23:49.076477Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2019-6554",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "WebAccess/SCADA",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Versions 8.3.5 and prior."
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Advantech"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "IMPROPER ACCESS CONTROL CWE-284"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:advantech:webaccess:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "8.3.5",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2019-6554"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-10-16T19:17Z",
      "publishedDate": "2019-04-05T19:29Z"
    }
  }
}

ICSA-19-092-01

Vulnerability from csaf_cisa

Published

2019-04-02 00:00

Modified

2019-04-02 00:00

Summary

Advantech WebAccess/SCADA

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities may cause a denial of service and allow remote code execution.

Critical infrastructure sectors

Critical Manufacturing, Energy, Water and Wastewater Systems

Countries/areas deployed

East Asia, United States, and Europe

Company headquarters location

Taiwan

Recommended Practices

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Mat Powell",
          "Natnael Samson (@NattiSamson)"
        ],
        "organization": "Trend Micro \u0027s Zero Day Initiative (ZDI)",
        "summary": "reporting these vulnerabilities to NCCIC"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities may cause a denial of service and allow remote code execution.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Critical Manufacturing, Energy, Water and Wastewater Systems",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "East Asia, United States, and Europe",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Taiwan",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-092-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-092-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-092-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-092-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Advantech WebAccess/SCADA",
    "tracking": {
      "current_release_date": "2019-04-02T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-19-092-01",
      "initial_release_date": "2019-04-02T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2019-04-02T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-19-092-01 Advantech WebAccess/SCADA"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 8.3.5",
                "product": {
                  "name": "WebAccess/SCADA: Versions 8.3.5 and prior",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "WebAccess/SCADA"
          }
        ],
        "category": "vendor",
        "name": "Advantech"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-6552",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Multiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution.CVE-2019-6552 has been assigned to these vulnerabilities. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6552"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Advantech has released Version 8.4.0 of WebAccess/SCADA to address the reported vulnerabilities. ",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV\u0026Doc_Source=Download"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2019-6550",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Multiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution.CVE-2019-6550 has been assigned to these vulnerabilities. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6550"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Advantech has released Version 8.4.0 of WebAccess/SCADA to address the reported vulnerabilities. ",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV\u0026Doc_Source=Download"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2019-6554",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.CVE-2019-6554 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6554"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Advantech has released Version 8.4.0 of WebAccess/SCADA to address the reported vulnerabilities. ",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV\u0026Doc_Source=Download"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

icsa-19-092-01

Vulnerability from csaf_cisa

Published

2019-04-02 00:00

Modified

2019-04-02 00:00

Summary

Advantech WebAccess/SCADA

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

Risk evaluation

Successful exploitation of these vulnerabilities may cause a denial of service and allow remote code execution.

Critical infrastructure sectors

Critical Manufacturing, Energy, Water and Wastewater Systems

Countries/areas deployed

East Asia, United States, and Europe

Company headquarters location

Taiwan

Recommended Practices

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Mat Powell",
          "Natnael Samson (@NattiSamson)"
        ],
        "organization": "Trend Micro \u0027s Zero Day Initiative (ZDI)",
        "summary": "reporting these vulnerabilities to NCCIC"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities may cause a denial of service and allow remote code execution.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Critical Manufacturing, Energy, Water and Wastewater Systems",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "East Asia, United States, and Europe",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Taiwan",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-092-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-092-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-092-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-092-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Advantech WebAccess/SCADA",
    "tracking": {
      "current_release_date": "2019-04-02T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-19-092-01",
      "initial_release_date": "2019-04-02T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2019-04-02T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-19-092-01 Advantech WebAccess/SCADA"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 8.3.5",
                "product": {
                  "name": "WebAccess/SCADA: Versions 8.3.5 and prior",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "WebAccess/SCADA"
          }
        ],
        "category": "vendor",
        "name": "Advantech"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-6552",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Multiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution.CVE-2019-6552 has been assigned to these vulnerabilities. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6552"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Advantech has released Version 8.4.0 of WebAccess/SCADA to address the reported vulnerabilities. ",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV\u0026Doc_Source=Download"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2019-6550",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Multiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution.CVE-2019-6550 has been assigned to these vulnerabilities. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6550"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Advantech has released Version 8.4.0 of WebAccess/SCADA to address the reported vulnerabilities. ",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV\u0026Doc_Source=Download"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2019-6554",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.CVE-2019-6554 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6554"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Advantech has released Version 8.4.0 of WebAccess/SCADA to address the reported vulnerabilities. ",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV\u0026Doc_Source=Download"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

fkie_cve-2019-6554

Vulnerability from fkie_nvd

Published

2019-04-05 19:29

Modified

2024-11-21 04:46

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.

References

	URL	Tags
	ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01	Third Party Advisory, US Government Resource
	af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	advantech	webaccess	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:advantech:webaccess:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5333F043-09F6-4BAA-9F06-4FFA63406A29",
              "versionEndIncluding": "8.3.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition."
    },
    {
      "lang": "es",
      "value": "Advantech WebAccess/SCADA, en versiones 8.3.5 y anteriores. Una vulnerabilidad de control de acceso incorrecto podr\u00eda permitir que un atacante provoque una condici\u00f3n de denegaci\u00f3n de servicio (DoS)."
    }
  ],
  "id": "CVE-2019-6554",
  "lastModified": "2024-11-21T04:46:41.090",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-04-05T19:29:00.407",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-4pmv-cr3m-c6qv

Vulnerability from github

Published

2022-05-13 01:14

Modified

2022-05-13 01:14

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-6554"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-05T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.",
  "id": "GHSA-4pmv-cr3m-c6qv",
  "modified": "2022-05-13T01:14:31Z",
  "published": "2022-05-13T01:14:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6554"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

var-201904-0184

Vulnerability from variot

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition. Advantech WebAccess/SCADA Contains an access control vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within UninstallWA.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. Advantech WebAccess/SCADA is a set of browser-based SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess/SCADA is prone to the following vulnerabilities: 1. Multiple command-injection vulnerabilities 2. A denial-of-service vulnerability 3. Multiple stack-based buffer-overflow vulnerabilities An attacker can exploit these issues to inject and execute arbitrary commands in the context of the application. Failed exploit attempts will result in denial-of-service conditions

Show details on source website

JSON

To clipboard

{
  "affected_products": {
    "_id": null,
    "data": [
      {
        "_id": null,
        "model": "webaccess",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "advantech",
        "version": "8.3.5"
      },
      {
        "_id": null,
        "model": "webaccess",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "advantech",
        "version": "8.3.5 and less"
      },
      {
        "_id": null,
        "model": "webaccess",
        "scope": null,
        "trust": 0.7,
        "vendor": "advantech",
        "version": null
      },
      {
        "_id": null,
        "model": "webaccess/scada",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "advantech",
        "version": "\u003c=8.3.5"
      },
      {
        "_id": null,
        "model": "webaccess/scada",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "advantech",
        "version": "8.3.5"
      },
      {
        "_id": null,
        "model": "webaccess/scada",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "advantech",
        "version": "8.3.4"
      },
      {
        "_id": null,
        "model": "webaccess/scada",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "advantech",
        "version": "8.3.2"
      },
      {
        "_id": null,
        "model": "webaccess/scada",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "advantech",
        "version": "8.3"
      },
      {
        "_id": null,
        "model": "webaccess/scada",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "advantech",
        "version": "8.4"
      },
      {
        "_id": null,
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "webaccess",
        "version": "*"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c"
      },
      {
        "db": "ZDI",
        "id": "ZDI-19-331"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947"
      },
      {
        "db": "BID",
        "id": "107675"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6554"
      }
    ]
  },
  "configurations": {
    "_id": null,
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:advantech:webaccess",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119"
      }
    ]
  },
  "credits": {
    "_id": null,
    "data": "Mat Powell of Trend Micro Zero Day Initiative",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-19-331"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2019-6554",
  "cvss": {
    "_id": null,
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2019-6554",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.1,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CNVD-2019-08947",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.1,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "VHN-157989",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "id": "CVE-2019-6554",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2019-6554",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "ZDI",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "id": "CVE-2019-6554",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 0.7,
            "userInteraction": "NONE",
            "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2019-6554",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2019-6554",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "ZDI",
            "id": "CVE-2019-6554",
            "trust": 0.7,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-08947",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201904-094",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c",
            "trust": 0.2,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-157989",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c"
      },
      {
        "db": "ZDI",
        "id": "ZDI-19-331"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947"
      },
      {
        "db": "VULHUB",
        "id": "VHN-157989"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-094"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6554"
      }
    ]
  },
  "description": {
    "_id": null,
    "data": "Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition. Advantech WebAccess/SCADA Contains an access control vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within UninstallWA.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. Advantech WebAccess/SCADA is a set of browser-based SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess/SCADA is prone to the following vulnerabilities:\n1. Multiple command-injection vulnerabilities\n2. A denial-of-service vulnerability\n3. Multiple stack-based buffer-overflow vulnerabilities\nAn attacker can exploit these issues to inject and execute arbitrary commands in the context of the application. Failed exploit attempts will result in denial-of-service conditions",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-6554"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119"
      },
      {
        "db": "ZDI",
        "id": "ZDI-19-331"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947"
      },
      {
        "db": "BID",
        "id": "107675"
      },
      {
        "db": "IVD",
        "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c"
      },
      {
        "db": "VULHUB",
        "id": "VHN-157989"
      }
    ],
    "trust": 3.33
  },
  "external_ids": {
    "_id": null,
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-6554",
        "trust": 4.3
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-19-092-01",
        "trust": 3.4
      },
      {
        "db": "ZDI",
        "id": "ZDI-19-331",
        "trust": 1.3
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-094",
        "trust": 0.9
      },
      {
        "db": "BID",
        "id": "107675",
        "trust": 0.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-7908",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.1113",
        "trust": 0.6
      },
      {
        "db": "IVD",
        "id": "6A9BB3F5-E6BE-4DC2-9D2B-57459A62BF8C",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-157989",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c"
      },
      {
        "db": "ZDI",
        "id": "ZDI-19-331"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947"
      },
      {
        "db": "VULHUB",
        "id": "VHN-157989"
      },
      {
        "db": "BID",
        "id": "107675"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-094"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6554"
      }
    ]
  },
  "id": "VAR-201904-0184",
  "iot": {
    "_id": null,
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947"
      },
      {
        "db": "VULHUB",
        "id": "VHN-157989"
      }
    ],
    "trust": 1.4466745799999998
  },
  "iot_taxonomy": {
    "_id": null,
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947"
      }
    ]
  },
  "last_update_date": "2024-11-23T22:17:06.371000Z",
  "patch": {
    "_id": null,
    "data": [
      {
        "title": "Advantech WebAccess",
        "trust": 0.8,
        "url": "https://www.advantech.co.jp/industrial-automation/webaccess"
      },
      {
        "title": "Advantech has issued an update to correct this vulnerability.",
        "trust": 0.7,
        "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01"
      },
      {
        "title": "Advantech WebAccess/SCADA Patch for Incorrect Access Control Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/157947"
      },
      {
        "title": "Advantech WebAccess  and Advantech WebAccess/SCADA Fixes for access control error vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91017"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-19-331"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-094"
      }
    ]
  },
  "problemtype_data": {
    "_id": null,
    "data": [
      {
        "problemtype": "CWE-284",
        "trust": 1.9
      },
      {
        "problemtype": "NVD-CWE-Other",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-157989"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6554"
      }
    ]
  },
  "references": {
    "_id": null,
    "data": [
      {
        "trust": 4.1,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-19-092-01"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-6554"
      },
      {
        "trust": 1.2,
        "url": "http://www.securityfocus.com/bid/107675"
      },
      {
        "trust": 0.9,
        "url": "https://www.advantech.com/"
      },
      {
        "trust": 0.9,
        "url": "https://support.advantech.com/support/downloadsrdetail_new.aspx?sr_id=1-ms9mjv\u0026doc_source=download"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6554"
      },
      {
        "trust": 0.6,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-19-331/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/78318"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-19-331"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947"
      },
      {
        "db": "VULHUB",
        "id": "VHN-157989"
      },
      {
        "db": "BID",
        "id": "107675"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-094"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6554"
      }
    ]
  },
  "sources": {
    "_id": null,
    "data": [
      {
        "db": "IVD",
        "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c",
        "ident": null
      },
      {
        "db": "ZDI",
        "id": "ZDI-19-331",
        "ident": null
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947",
        "ident": null
      },
      {
        "db": "VULHUB",
        "id": "VHN-157989",
        "ident": null
      },
      {
        "db": "BID",
        "id": "107675",
        "ident": null
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-003119",
        "ident": null
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-094",
        "ident": null
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6554",
        "ident": null
      }
    ]
  },
  "sources_release_date": {
    "_id": null,
    "data": [
      {
        "date": "2019-04-03T00:00:00",
        "db": "IVD",
        "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c",
        "ident": null
      },
      {
        "date": "2019-04-02T00:00:00",
        "db": "ZDI",
        "id": "ZDI-19-331",
        "ident": null
      },
      {
        "date": "2019-04-03T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-08947",
        "ident": null
      },
      {
        "date": "2019-04-05T00:00:00",
        "db": "VULHUB",
        "id": "VHN-157989",
        "ident": null
      },
      {
        "date": "2019-04-02T00:00:00",
        "db": "BID",
        "id": "107675",
        "ident": null
      },
      {
        "date": "2019-05-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-003119",
        "ident": null
      },
      {
        "date": "2019-04-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201904-094",
        "ident": null
      },
      {
        "date": "2019-04-05T19:29:00.407000",
        "db": "NVD",
        "id": "CVE-2019-6554",
        "ident": null
      }
    ]
  },
  "sources_update_date": {
    "_id": null,
    "data": [
      {
        "date": "2019-04-02T00:00:00",
        "db": "ZDI",
        "id": "ZDI-19-331",
        "ident": null
      },
      {
        "date": "2019-04-03T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-08947",
        "ident": null
      },
      {
        "date": "2020-10-16T00:00:00",
        "db": "VULHUB",
        "id": "VHN-157989",
        "ident": null
      },
      {
        "date": "2019-04-02T00:00:00",
        "db": "BID",
        "id": "107675",
        "ident": null
      },
      {
        "date": "2019-05-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-003119",
        "ident": null
      },
      {
        "date": "2020-10-21T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201904-094",
        "ident": null
      },
      {
        "date": "2024-11-21T04:46:41.090000",
        "db": "NVD",
        "id": "CVE-2019-6554",
        "ident": null
      }
    ]
  },
  "threat_type": {
    "_id": null,
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-094"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "_id": null,
    "data": "Advantech WebAccess/SCADA Incorrect access control vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "6a9bb3f5-e6be-4dc2-9d2b-57459a62bf8c"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-08947"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "_id": null,
    "data": "other",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-094"
      }
    ],
    "trust": 0.6
  }
}

cnvd-2019-08947

Vulnerability from cnvd

Title

Advantech WebAccess/SCADA不正确的访问控制漏洞

Description

Advantech WebAccess/SCADA是研华（Advantech）公司的一套基于浏览器架构的SCADA软件。该软件支持动态图形显示和实时数据控制，并提供远程控制和管理自动化设备的功能。 Advantech WebAccess/SCADA存在不正确的访问控制漏洞，攻击者可利用该漏洞导致拒绝服务。

Severity

高

Patch Name

Advantech WebAccess/SCADA不正确的访问控制漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV&Doc_Source=Download

Reference

https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01

Impacted products

Name
Advantech WebAccess/SCADA <=8.3.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-6554"
    }
  },
  "description": "Advantech WebAccess/SCADA\u662f\u7814\u534e\uff08Advantech\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8e\u6d4f\u89c8\u5668\u67b6\u6784\u7684SCADA\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u52a8\u6001\u56fe\u5f62\u663e\u793a\u548c\u5b9e\u65f6\u6570\u636e\u63a7\u5236\uff0c\u5e76\u63d0\u4f9b\u8fdc\u7a0b\u63a7\u5236\u548c\u7ba1\u7406\u81ea\u52a8\u5316\u8bbe\u5907\u7684\u529f\u80fd\u3002\n\nAdvantech WebAccess/SCADA\u5b58\u5728\u4e0d\u6b63\u786e\u7684\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Mat Powell\u548cNatnael Samson,Zero Day Initiative",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV\u0026Doc_Source=Download",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-08947",
  "openTime": "2019-04-03",
  "patchDescription": "Advantech WebAccess/SCADA\u662f\u7814\u534e\uff08Advantech\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8e\u6d4f\u89c8\u5668\u67b6\u6784\u7684SCADA\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u52a8\u6001\u56fe\u5f62\u663e\u793a\u548c\u5b9e\u65f6\u6570\u636e\u63a7\u5236\uff0c\u5e76\u63d0\u4f9b\u8fdc\u7a0b\u63a7\u5236\u548c\u7ba1\u7406\u81ea\u52a8\u5316\u8bbe\u5907\u7684\u529f\u80fd\u3002\r\n\r\nAdvantech WebAccess/SCADA\u5b58\u5728\u4e0d\u6b63\u786e\u7684\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Advantech WebAccess/SCADA\u4e0d\u6b63\u786e\u7684\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Advantech WebAccess/SCADA \u003c=8.3.5"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01",
  "serverity": "\u9ad8",
  "submitTime": "2019-04-03",
  "title": "Advantech WebAccess/SCADA\u4e0d\u6b63\u786e\u7684\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2019-6554 (GCVE-0-2019-6554)

Vulnerability from cvelistv5

gsd-2019-6554

Vulnerability from gsd

ICSA-19-092-01

Vulnerability from csaf_cisa

icsa-19-092-01

Vulnerability from csaf_cisa

fkie_cve-2019-6554

Vulnerability from fkie_nvd

ghsa-4pmv-cr3m-c6qv

Vulnerability from github

var-201904-0184

Vulnerability from variot

cnvd-2019-08947

Vulnerability from cnvd

Tags

Sightings

Nomenclature