cve-2018-18990
Vulnerability from cvelistv5
Published
2019-02-05 18:00
Modified
2024-09-17 01:21
Severity ?
EPSS score ?
Summary
LCDS Laquis SCADA prior to version 4.1.0.4150 allows a user-supplied path in file operations prior to proper validation. An attacker can leverage this vulnerability to disclose sensitive information under the context of the web server process.
References
▼ | URL | Tags | |
---|---|---|---|
ics-cert@hq.dhs.gov | http://www.securityfocus.com/bid/106634 | Third Party Advisory, VDB Entry | |
ics-cert@hq.dhs.gov | https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01 | Third Party Advisory, US Government Resource |
Impacted products
▼ | Vendor | Product |
---|---|---|
ICS-CERT | LCDS Laquis SCADA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T11:23:08.494Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01" }, { "name": "106634", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/106634" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "LCDS Laquis SCADA", "vendor": "ICS-CERT", "versions": [ { "status": "affected", "version": "All versions prior to version 4.1.0.4150" } ] } ], "datePublic": "2019-01-15T00:00:00", "descriptions": [ { "lang": "en", "value": "LCDS Laquis SCADA prior to version 4.1.0.4150 allows a user-supplied path in file operations prior to proper validation. An attacker can leverage this vulnerability to disclose sensitive information under the context of the web server process." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-23", "description": "RELATIVE PATH TRAVERSAL CWE-23", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2019-02-06T10:57:02", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01" }, { "name": "106634", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/106634" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2019-01-15T00:00:00", "ID": "CVE-2018-18990", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "LCDS Laquis SCADA", "version": { "version_data": [ { "version_value": "All versions prior to version 4.1.0.4150" } ] } } ] }, "vendor_name": "ICS-CERT" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "LCDS Laquis SCADA prior to version 4.1.0.4150 allows a user-supplied path in file operations prior to proper validation. An attacker can leverage this vulnerability to disclose sensitive information under the context of the web server process." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "RELATIVE PATH TRAVERSAL CWE-23" } ] } ] }, "references": { "reference_data": [ { "name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01" }, { "name": "106634", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106634" } ] } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2018-18990", "datePublished": "2019-02-05T18:00:00Z", "dateReserved": "2018-11-06T00:00:00", "dateUpdated": "2024-09-17T01:21:51.337Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2018-18990\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2019-02-05T18:29:00.587\",\"lastModified\":\"2019-10-09T23:37:32.193\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"LCDS Laquis SCADA prior to version 4.1.0.4150 allows a user-supplied path in file operations prior to proper validation. An attacker can leverage this vulnerability to disclose sensitive information under the context of the web server process.\"},{\"lang\":\"es\",\"value\":\"LCDS Laquis SCADA, en versiones anteriores a la 4.1.0.4150, permite una ruta proporcionada por el usuario en operaciones de archivo antes de validarse correctamente. Un atacante podr\u00eda aprovecharse de esta vulnerabilidad para divulgar informaci\u00f3n sensible en el contexto del proceso del servidor web.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lcds:laquis_scada:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.0.4150\",\"matchCriteriaId\":\"A410DB6E-D5ED-411B-85EF-8445506E147A\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/106634\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}" } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.