cnvd - cnvd-2020-10131

CNVD-2020-10131

Vulnerability from cnvd - Published: 2020-02-18

Title

ABB Asset Suite访问控制错误漏洞

Description

ABB Asset Suite是瑞士ABB公司的一套主要用于发电行业的企业资产管理解决方案。 ABB Asset Suite中的Web界面存在访问控制错误漏洞。该漏洞源于网络系统或产品未正确限制来自未授权角色的资源访问。攻击者可利用该漏洞获取网站敏感信息。

Severity

高

Patch Name

ABB Asset Suite访问控制错误漏洞的补丁

Patch Description

ABB Asset Suite是瑞士ABB公司的一套主要用于发电行业的企业资产管理解决方案。 ABB Asset Suite中的Web界面存在访问控制错误漏洞。该漏洞源于网络系统或产品未正确限制来自未授权角色的资源访问。攻击者可利用该漏洞获取网站敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://new.abb.com/

Reference

https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962&LanguageCode=en&DocumentPartId=&Action=Launch https://nvd.nist.gov/vuln/detail/CVE-2019-18998

Impacted products

Name
['ABB ABB Asset Suite >=9.0，<=9.3', 'ABB ABB Asset Suite 9.4，<9.4.2.6', 'ABB ABB Asset Suite 9.5，<9.5.3.2', 'ABB ABB Asset Suite 9.6.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-18998"
    }
  },
  "description": "ABB Asset Suite\u662f\u745e\u58ebABB\u516c\u53f8\u7684\u4e00\u5957\u4e3b\u8981\u7528\u4e8e\u53d1\u7535\u884c\u4e1a\u7684\u4f01\u4e1a\u8d44\u4ea7\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\n\nABB Asset Suite\u4e2d\u7684Web\u754c\u9762\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u9650\u5236\u6765\u81ea\u672a\u6388\u6743\u89d2\u8272\u7684\u8d44\u6e90\u8bbf\u95ee\u3002 \u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7f51\u7ad9\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://new.abb.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-10131",
  "openTime": "2020-02-18",
  "patchDescription": "ABB Asset Suite\u662f\u745e\u58ebABB\u516c\u53f8\u7684\u4e00\u5957\u4e3b\u8981\u7528\u4e8e\u53d1\u7535\u884c\u4e1a\u7684\u4f01\u4e1a\u8d44\u4ea7\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nABB Asset Suite\u4e2d\u7684Web\u754c\u9762\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u9650\u5236\u6765\u81ea\u672a\u6388\u6743\u89d2\u8272\u7684\u8d44\u6e90\u8bbf\u95ee\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7f51\u7ad9\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ABB Asset Suite\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "ABB ABB Asset Suite \u003e=9.0\uff0c\u003c=9.3",
      "ABB ABB Asset Suite 9.4\uff0c\u003c9.4.2.6",
      "ABB ABB Asset Suite 9.5\uff0c\u003c9.5.3.2",
      "ABB ABB Asset Suite 9.6.0"
    ]
  },
  "referenceLink": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-18998",
  "serverity": "\u9ad8",
  "submitTime": "2020-02-18",
  "title": "ABB Asset Suite\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2019-18998 (GCVE-0-2019-18998)

Vulnerability from cvelistv5 – Published: 2020-02-17 18:40 – Updated: 2024-08-05 02:02

Title

Asset Suite Direct Object Reference Access

Summary

Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-284 - Improper Access Control

Assigner

ABB

References

URL

Tags

	https://search.abb.com/library/Download.aspx?Docu…	x_refsource_CONFIRM
	https://www.us-cert.gov/ics/advisories/icsa-20-072-02	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ABB	Asset Suite	Affected: 9.0 to 9.3 Affected: 9.4 prior to 9.4.2.6 Affected: 9.5 prior to 9.5.3.2 Affected: 9.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T02:02:39.895Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Asset Suite",
          "vendor": "ABB",
          "versions": [
            {
              "status": "affected",
              "version": "9.0 to 9.3"
            },
            {
              "status": "affected",
              "version": "9.4 prior to 9.4.2.6"
            },
            {
              "status": "affected",
              "version": "9.5 prior to 9.5.3.2"
            },
            {
              "status": "affected",
              "version": "9.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-12T22:28:21",
        "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
        "shortName": "ABB"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The vulnerability is corrected in the following product versions:\nAsset Suite 9.4.2.6\nAsset Suite 9.5.3.2\nAsset Suite 9.6.1"
        }
      ],
      "source": {
        "advisory": "ABBVU-PGGA-2019013",
        "discovery": "UNKNOWN"
      },
      "title": "Asset Suite Direct Object Reference Access",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@ch.abb.com",
          "ID": "CVE-2019-18998",
          "STATE": "PUBLIC",
          "TITLE": "Asset Suite Direct Object Reference Access"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Asset Suite",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "9.0 to 9.3"
                          },
                          {
                            "version_value": "9.4 prior to 9.4.2.6"
                          },
                          {
                            "version_value": "9.5 prior to 9.5.3.2"
                          },
                          {
                            "version_value": "9.6.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ABB"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-284 Improper Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
              "refsource": "CONFIRM",
              "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
            },
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "The vulnerability is corrected in the following product versions:\nAsset Suite 9.4.2.6\nAsset Suite 9.5.3.2\nAsset Suite 9.6.1"
          }
        ],
        "source": {
          "advisory": "ABBVU-PGGA-2019013",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
    "assignerShortName": "ABB",
    "cveId": "CVE-2019-18998",
    "datePublished": "2020-02-17T18:40:38",
    "dateReserved": "2019-11-15T00:00:00",
    "dateUpdated": "2024-08-05T02:02:39.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-10131

CVE-2019-18998 (GCVE-0-2019-18998)

Tags

Sightings

Nomenclature