cvelistv5 - cve-2019-8998

CVE-2019-8998 (GCVE-0-2019-8998)

Vulnerability from cvelistv5

Published

2019-07-12 15:30

Modified

2025-08-22 15:09

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

Information disclosure leading to a potential local escalation of privilege
CWE-413 - Improper Resource Locking

Summary

An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space.

References

URL

	Vendor	Product	Version
	BlackBerry	QNX Software Development Platform (QNX SDP)	Version: 6.5.0 SP1 and earlier

icsa-19-262-01

Vulnerability from csaf_cisa

Published

2019-09-19 00:00

Modified

2019-09-19 00:00

Summary

Tridium Niagara

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided 'as is' for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could allow a local user to escalate their privileges.

Critical infrastructure sectors

Commercial Facilities, Critical Manufacturing, Government Facilities, Information Technology

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Johannes Eger",
          "Fabian Ullrich"
        ],
        "organization": "the Secure Mobile Networking Lab",
        "summary": "reporting CVE-2019-8998 to BlackBerry"
      },
      {
        "names": [
          "Francisco Tacliad"
        ],
        "summary": "reporting CVE-2019-13528 to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \u0027as is\u0027 for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow a local user to escalate their privileges.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Commercial Facilities, Critical Manufacturing, Government Facilities, Information Technology",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-262-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-262-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-262-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-262-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Tridium Niagara",
    "tracking": {
      "current_release_date": "2019-09-19T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-19-262-01",
      "initial_release_date": "2019-09-19T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2019-09-19T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-19-262-01 Tridium Niagara"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "4.7u1 (JACE-8000 Edge 10)",
                "product": {
                  "name": "Niagara: 4.7u1 (JACE-8000 Edge 10)",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "4.4u3 (JACE 3e JACE 6e JACE 7 JACE-8000)",
                "product": {
                  "name": "Niagara: 4.4u3 (JACE 3e JACE 6e JACE 7 JACE-8000)",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.8u4 (JACE 3e JACE 6e JACE 7 JACE-8000)",
                "product": {
                  "name": "Niagara AX: 3.8u4 (JACE 3e JACE 6e JACE 7 JACE-8000)",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara AX"
          }
        ],
        "category": "vendor",
        "name": "Tridium"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-8998",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The QNX procfs service provides access to various process information and assets, which could allow a less privileged process to gain access to a target address space.CVE-2019-8998 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8998"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Niagara AX 3.8u4: OS Dist: 2.7.402.2",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Niagara AX 3.8u4: NRE Config Dist: 3.8.401.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.4u3: OS Dist: 4.4.73.38.1 NRE Config",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.4u3: Dist: 4.4.94.14.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.7u1: OS Dist: (JACE 8000) 4.7.109.16.1,empty\nicsa-19-262-01.json,vendor_fix,Niagara 4.7u1: OS Dist (Edge 10): 4.7.109.18.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.7u1: NRE Config Dist: 4.7.110.32.1,empty\nicsa-19-262-01.json,vendor_fix,Updates are available by contacting the sales support channel or by contacting the Tridium support team at support@tridium.com,mailto:support@tridium.com\nicsa-19-262-01.json,vendor_fix,All Tridium Niagara users for all supported platforms are encouraged to update their systems with these releases to mitigate risk. For further guidance please contact a Tridium account manager or Customer Support.\u0027",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Review and validate the list of authorized users who can authenticate to Niagara.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Allow only trained and trusted persons to have physical access to the system, including devices with connection to the system though the Ethernet port.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "If remote connections to the network are required, consider using a VPN or other means to ensure secure remote connections into the network.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information please refer to: Security Bulletin# SB 2019-Tridium-3",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://www.tridium.com/~/media/tridium/library/documents/collateral/technical%20bulletins/qnx_vulnerability_fix.ashx?la=en"
        },
        {
          "category": "mitigation",
          "details": "For more information please refer to: BlackBerry\u0027s Security Advisory QNX-2019-001",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2019-13528",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A specific utility may allow an attacker to gain read access to privileged files.CVE-2019-13528 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13528"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Niagara AX 3.8u4: OS Dist: 2.7.402.2",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Niagara AX 3.8u4: NRE Config Dist: 3.8.401.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.4u3: OS Dist: 4.4.73.38.1 NRE Config",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.4u3: Dist: 4.4.94.14.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.7u1: OS Dist: (JACE 8000) 4.7.109.16.1,empty\nicsa-19-262-01.json,vendor_fix,Niagara 4.7u1: OS Dist (Edge 10): 4.7.109.18.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.7u1: NRE Config Dist: 4.7.110.32.1,empty\nicsa-19-262-01.json,vendor_fix,Updates are available by contacting the sales support channel or by contacting the Tridium support team at support@tridium.com,mailto:support@tridium.com\nicsa-19-262-01.json,vendor_fix,All Tridium Niagara users for all supported platforms are encouraged to update their systems with these releases to mitigate risk. For further guidance please contact a Tridium account manager or Customer Support.\u0027",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Review and validate the list of authorized users who can authenticate to Niagara.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Allow only trained and trusted persons to have physical access to the system, including devices with connection to the system though the Ethernet port.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "If remote connections to the network are required, consider using a VPN or other means to ensure secure remote connections into the network.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information please refer to: Security Bulletin# SB 2019-Tridium-3",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://www.tridium.com/~/media/tridium/library/documents/collateral/technical%20bulletins/qnx_vulnerability_fix.ashx?la=en"
        },
        {
          "category": "mitigation",
          "details": "For more information please refer to: BlackBerry\u0027s Security Advisory QNX-2019-001",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    }
  ]
}

ICSA-19-262-01

Vulnerability from csaf_cisa

Published

2019-09-19 00:00

Modified

2019-09-19 00:00

Summary

Tridium Niagara

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

Risk evaluation

Successful exploitation of these vulnerabilities could allow a local user to escalate their privileges.

Critical infrastructure sectors

Commercial Facilities, Critical Manufacturing, Government Facilities, Information Technology

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

Exploitability

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Johannes Eger",
          "Fabian Ullrich"
        ],
        "organization": "the Secure Mobile Networking Lab",
        "summary": "reporting CVE-2019-8998 to BlackBerry"
      },
      {
        "names": [
          "Francisco Tacliad"
        ],
        "summary": "reporting CVE-2019-13528 to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \u0027as is\u0027 for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow a local user to escalate their privileges.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Commercial Facilities, Critical Manufacturing, Government Facilities, Information Technology",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-262-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-262-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-262-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-262-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Tridium Niagara",
    "tracking": {
      "current_release_date": "2019-09-19T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-19-262-01",
      "initial_release_date": "2019-09-19T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2019-09-19T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-19-262-01 Tridium Niagara"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "4.7u1 (JACE-8000 Edge 10)",
                "product": {
                  "name": "Niagara: 4.7u1 (JACE-8000 Edge 10)",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "4.4u3 (JACE 3e JACE 6e JACE 7 JACE-8000)",
                "product": {
                  "name": "Niagara: 4.4u3 (JACE 3e JACE 6e JACE 7 JACE-8000)",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.8u4 (JACE 3e JACE 6e JACE 7 JACE-8000)",
                "product": {
                  "name": "Niagara AX: 3.8u4 (JACE 3e JACE 6e JACE 7 JACE-8000)",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Niagara AX"
          }
        ],
        "category": "vendor",
        "name": "Tridium"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-8998",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The QNX procfs service provides access to various process information and assets, which could allow a less privileged process to gain access to a target address space.CVE-2019-8998 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8998"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Niagara AX 3.8u4: OS Dist: 2.7.402.2",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Niagara AX 3.8u4: NRE Config Dist: 3.8.401.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.4u3: OS Dist: 4.4.73.38.1 NRE Config",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.4u3: Dist: 4.4.94.14.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.7u1: OS Dist: (JACE 8000) 4.7.109.16.1,empty\nicsa-19-262-01.json,vendor_fix,Niagara 4.7u1: OS Dist (Edge 10): 4.7.109.18.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.7u1: NRE Config Dist: 4.7.110.32.1,empty\nicsa-19-262-01.json,vendor_fix,Updates are available by contacting the sales support channel or by contacting the Tridium support team at support@tridium.com,mailto:support@tridium.com\nicsa-19-262-01.json,vendor_fix,All Tridium Niagara users for all supported platforms are encouraged to update their systems with these releases to mitigate risk. For further guidance please contact a Tridium account manager or Customer Support.\u0027",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Review and validate the list of authorized users who can authenticate to Niagara.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Allow only trained and trusted persons to have physical access to the system, including devices with connection to the system though the Ethernet port.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "If remote connections to the network are required, consider using a VPN or other means to ensure secure remote connections into the network.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information please refer to: Security Bulletin# SB 2019-Tridium-3",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://www.tridium.com/~/media/tridium/library/documents/collateral/technical%20bulletins/qnx_vulnerability_fix.ashx?la=en"
        },
        {
          "category": "mitigation",
          "details": "For more information please refer to: BlackBerry\u0027s Security Advisory QNX-2019-001",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2019-13528",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A specific utility may allow an attacker to gain read access to privileged files.CVE-2019-13528 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13528"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Niagara AX 3.8u4: OS Dist: 2.7.402.2",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Niagara AX 3.8u4: NRE Config Dist: 3.8.401.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.4u3: OS Dist: 4.4.73.38.1 NRE Config",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.4u3: Dist: 4.4.94.14.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.7u1: OS Dist: (JACE 8000) 4.7.109.16.1,empty\nicsa-19-262-01.json,vendor_fix,Niagara 4.7u1: OS Dist (Edge 10): 4.7.109.18.1",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Niagara 4.7u1: NRE Config Dist: 4.7.110.32.1,empty\nicsa-19-262-01.json,vendor_fix,Updates are available by contacting the sales support channel or by contacting the Tridium support team at support@tridium.com,mailto:support@tridium.com\nicsa-19-262-01.json,vendor_fix,All Tridium Niagara users for all supported platforms are encouraged to update their systems with these releases to mitigate risk. For further guidance please contact a Tridium account manager or Customer Support.\u0027",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Review and validate the list of authorized users who can authenticate to Niagara.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Allow only trained and trusted persons to have physical access to the system, including devices with connection to the system though the Ethernet port.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "If remote connections to the network are required, consider using a VPN or other means to ensure secure remote connections into the network.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information please refer to: Security Bulletin# SB 2019-Tridium-3",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://www.tridium.com/~/media/tridium/library/documents/collateral/technical%20bulletins/qnx_vulnerability_fix.ashx?la=en"
        },
        {
          "category": "mitigation",
          "details": "For more information please refer to: BlackBerry\u0027s Security Advisory QNX-2019-001",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    }
  ]
}

gsd-2019-8998

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Aliases

CVE-2019-8998

Aliases

CVE-2019-8998

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-8998",
    "description": "An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space.",
    "id": "GSD-2019-8998"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-8998"
      ],
      "details": "An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space.",
      "id": "GSD-2019-8998",
      "modified": "2023-12-13T01:23:48.474499Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@blackberry.com",
        "ID": "CVE-2019-8998",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "BlackBerry QNX Software Development Platform (QNX SDP)",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "6.5.0 SP1 and earlier"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information disclosure leading to a potential local escalation of privilege"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178",
            "refsource": "MISC",
            "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:blackberry:qnx_software_development_platform:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.5.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@blackberry.com",
          "ID": "CVE-2019-8998"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-07-21T11:39Z",
      "publishedDate": "2019-07-12T16:15Z"
    }
  }
}

fkie_cve-2019-8998

Vulnerability from fkie_nvd

Published

2019-07-12 16:15

Modified

2025-08-22 16:15

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	secure@blackberry.com	http://support.blackberry.com/kb/articleDetail?articleNumber=000057178	Mitigation, Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	http://support.blackberry.com/kb/articleDetail?articleNumber=000057178	Mitigation, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	blackberry	qnx_software_development_platform	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:blackberry:qnx_software_development_platform:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E1730CD-987E-4AE4-B84B-A7ABB3E5A488",
              "versionEndIncluding": "6.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n que conlleva a una potencial escalada local de privilegios en el servicio procfs (el sistema de archivos /proc) de la Plataforma de Desarrollo de Software BlackBerry QNX versi\u00f3n 6.5.0 SP1 y anteriores, podr\u00eda permitir a un atacante conseguir acceso no autorizado a un espacio de direcci\u00f3n de un proceso elegido."
    }
  ],
  "id": "CVE-2019-8998",
  "lastModified": "2025-08-22T16:15:33.343",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.1,
        "impactScore": 6.0,
        "source": "secure@blackberry.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2019-07-12T16:15:11.773",
  "references": [
    {
      "source": "secure@blackberry.com",
      "tags": [
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
    }
  ],
  "sourceIdentifier": "secure@blackberry.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-413"
        }
      ],
      "source": "secure@blackberry.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

cnvd-2019-23834

Vulnerability from cnvd

Title

BlackBerry QNX Software Development Platform信息泄露漏洞（CNVD-2019-23834）

Description

BlackBerry QNX Software Development Platform是加拿大黑莓（BlackBerry）公司的一套QNX软件开发平台。该平台主要用于开发基于QNX平台的软件。 BlackBerry QNX Software Development Platform 6.5.0 SP1及之前版本中存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。

Severity

中

Patch Name

BlackBerry QNX Software Development Platform信息泄露漏洞（CNVD-2019-23834）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://support.blackberry.com/kb/articleDetail?articleNumber=000057178

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-8998

Impacted products

Name
Blackberry QNX Software Development Platform <=6.5.0 SP1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-8998"
    }
  },
  "description": "BlackBerry QNX Software Development Platform\u662f\u52a0\u62ff\u5927\u9ed1\u8393\uff08BlackBerry\uff09\u516c\u53f8\u7684\u4e00\u5957QNX\u8f6f\u4ef6\u5f00\u53d1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u7528\u4e8e\u5f00\u53d1\u57fa\u4e8eQNX\u5e73\u53f0\u7684\u8f6f\u4ef6\u3002\n\nBlackBerry QNX Software Development Platform 6.5.0 SP1\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u5728\u8fd0\u884c\u8fc7\u7a0b\u4e2d\u5b58\u5728\u914d\u7f6e\u7b49\u9519\u8bef\u3002\u672a\u6388\u6743\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u53d7\u5f71\u54cd\u7ec4\u4ef6\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "unKnow",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://support.blackberry.com/kb/articleDetail?articleNumber=000057178",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-23834",
  "openTime": "2019-07-23",
  "patchDescription": "BlackBerry QNX Software Development Platform\u662f\u52a0\u62ff\u5927\u9ed1\u8393\uff08BlackBerry\uff09\u516c\u53f8\u7684\u4e00\u5957QNX\u8f6f\u4ef6\u5f00\u53d1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u7528\u4e8e\u5f00\u53d1\u57fa\u4e8eQNX\u5e73\u53f0\u7684\u8f6f\u4ef6\u3002\r\n\r\nBlackBerry QNX Software Development Platform 6.5.0 SP1\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u5728\u8fd0\u884c\u8fc7\u7a0b\u4e2d\u5b58\u5728\u914d\u7f6e\u7b49\u9519\u8bef\u3002\u672a\u6388\u6743\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u53d7\u5f71\u54cd\u7ec4\u4ef6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "BlackBerry QNX Software Development Platform\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2019-23834\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Blackberry QNX Software Development Platform \u003c=6.5.0 SP1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-8998",
  "serverity": "\u4e2d",
  "submitTime": "2019-07-16",
  "title": "BlackBerry QNX Software Development Platform\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2019-23834\uff09"
}

ghsa-6fpp-3m7q-q8jc

Vulnerability from github

Published

2022-05-24 16:50

Modified

2024-04-04 01:15

Severity ?

7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-8998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-413"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-12T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An information disclosure vulnerability leading to a potential local escalation of privilege in the procfs service (the /proc filesystem) of BlackBerry QNX Software Development Platform version(s) 6.5.0 SP1 and earlier could allow an attacker to potentially gain unauthorized access to a chosen process address space.",
  "id": "GHSA-6fpp-3m7q-q8jc",
  "modified": "2024-04-04T01:15:36Z",
  "published": "2022-05-24T16:50:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8998"
    },
    {
      "type": "WEB",
      "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000057178"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2019-8998 (GCVE-0-2019-8998)

Vulnerability from cvelistv5

icsa-19-262-01

Vulnerability from csaf_cisa

ICSA-19-262-01

Vulnerability from csaf_cisa

gsd-2019-8998

Vulnerability from gsd

fkie_cve-2019-8998

Vulnerability from fkie_nvd

cnvd-2019-23834

Vulnerability from cnvd

ghsa-6fpp-3m7q-q8jc

Vulnerability from github

Tags

Sightings

Nomenclature