cvelistv5 - cve-2019-18998

CVE-2019-18998 (GCVE-0-2019-18998)

Vulnerability from cvelistv5 – Published: 2020-02-17 18:40 – Updated: 2024-08-05 02:02

Title

Asset Suite Direct Object Reference Access

Summary

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-284 - Improper Access Control

Assigner

ABB

References

URL

Tags

	https://search.abb.com/library/Download.aspx?Docu…	x_refsource_CONFIRM
	https://www.us-cert.gov/ics/advisories/icsa-20-072-02	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ABB	Asset Suite	Affected: 9.0 to 9.3 Affected: 9.4 prior to 9.4.2.6 Affected: 9.5 prior to 9.5.3.2 Affected: 9.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T02:02:39.895Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Asset Suite",
          "vendor": "ABB",
          "versions": [
            {
              "status": "affected",
              "version": "9.0 to 9.3"
            },
            {
              "status": "affected",
              "version": "9.4 prior to 9.4.2.6"
            },
            {
              "status": "affected",
              "version": "9.5 prior to 9.5.3.2"
            },
            {
              "status": "affected",
              "version": "9.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-12T22:28:21",
        "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
        "shortName": "ABB"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The vulnerability is corrected in the following product versions:\nAsset Suite 9.4.2.6\nAsset Suite 9.5.3.2\nAsset Suite 9.6.1"
        }
      ],
      "source": {
        "advisory": "ABBVU-PGGA-2019013",
        "discovery": "UNKNOWN"
      },
      "title": "Asset Suite Direct Object Reference Access",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@ch.abb.com",
          "ID": "CVE-2019-18998",
          "STATE": "PUBLIC",
          "TITLE": "Asset Suite Direct Object Reference Access"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Asset Suite",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "9.0 to 9.3"
                          },
                          {
                            "version_value": "9.4 prior to 9.4.2.6"
                          },
                          {
                            "version_value": "9.5 prior to 9.5.3.2"
                          },
                          {
                            "version_value": "9.6.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ABB"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-284 Improper Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
              "refsource": "CONFIRM",
              "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
            },
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "The vulnerability is corrected in the following product versions:\nAsset Suite 9.4.2.6\nAsset Suite 9.5.3.2\nAsset Suite 9.6.1"
          }
        ],
        "source": {
          "advisory": "ABBVU-PGGA-2019013",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
    "assignerShortName": "ABB",
    "cveId": "CVE-2019-18998",
    "datePublished": "2020-02-17T18:40:38",
    "dateReserved": "2019-11-15T00:00:00",
    "dateUpdated": "2024-08-05T02:02:39.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.0.0\", \"versionEndIncluding\": \"9.3.0\", \"matchCriteriaId\": \"A6554BA4-B349-425B-993E-0EA57752CE2A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.4\", \"versionEndExcluding\": \"9.4.2.6\", \"matchCriteriaId\": \"C7004DE5-75BC-46AA-82D8-D1EC0255BBB1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.5.0\", \"versionEndExcluding\": \"9.5.3.2\", \"matchCriteriaId\": \"9005FA0D-504F-4016-A9FD-6F8D83DD295D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:hitachienergy:asset_suite:9.6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"36DD2317-A06E-4514-B365-2B88F049B2C1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly.\"}, {\"lang\": \"es\", \"value\": \"Un control de acceso insuficiente en la interfaz web de ABB Asset Suite versiones 9.0 hasta 9.3, versiones 9.4 anteriores a 9.4.2.6, versiones 9.5 anteriores a 9.5.3.2 y versi\\u00f3n 9.6.0, permite el acceso completo a objetos referenciados directamente. Un atacante con conocimiento de la URL de un recurso puede acceder al recurso directamente.\"}]",
      "id": "CVE-2019-18998",
      "lastModified": "2024-11-21T04:33:57.980",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cybersecurity@ch.abb.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:N\", \"baseScore\": 5.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-02-17T19:15:12.150",
      "references": "[{\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\", \"source\": \"cybersecurity@ch.abb.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.us-cert.gov/ics/advisories/icsa-20-072-02\", \"source\": \"cybersecurity@ch.abb.com\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.us-cert.gov/ics/advisories/icsa-20-072-02\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "cybersecurity@ch.abb.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cybersecurity@ch.abb.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-18998\",\"sourceIdentifier\":\"cybersecurity@ch.abb.com\",\"published\":\"2020-02-17T19:15:12.150\",\"lastModified\":\"2024-11-21T04:33:57.980\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly.\"},{\"lang\":\"es\",\"value\":\"Un control de acceso insuficiente en la interfaz web de ABB Asset Suite versiones 9.0 hasta 9.3, versiones 9.4 anteriores a 9.4.2.6, versiones 9.5 anteriores a 9.5.3.2 y versi\u00f3n 9.6.0, permite el acceso completo a objetos referenciados directamente. Un atacante con conocimiento de la URL de un recurso puede acceder al recurso directamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cybersecurity@ch.abb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:N\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cybersecurity@ch.abb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndIncluding\":\"9.3.0\",\"matchCriteriaId\":\"A6554BA4-B349-425B-993E-0EA57752CE2A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.4\",\"versionEndExcluding\":\"9.4.2.6\",\"matchCriteriaId\":\"C7004DE5-75BC-46AA-82D8-D1EC0255BBB1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.5.0\",\"versionEndExcluding\":\"9.5.3.2\",\"matchCriteriaId\":\"9005FA0D-504F-4016-A9FD-6F8D83DD295D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:asset_suite:9.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36DD2317-A06E-4514-B365-2B88F049B2C1\"}]}]}],\"references\":[{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"cybersecurity@ch.abb.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-20-072-02\",\"source\":\"cybersecurity@ch.abb.com\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-20-072-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}

GHSA-WXXJ-XQH4-VHM2

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2023-05-16 21:30

Details

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-18998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-17T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly.",
  "id": "GHSA-wxxj-xqh4-vhm2",
  "modified": "2023-05-16T21:30:17Z",
  "published": "2022-05-24T17:09:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18998"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2019-18998

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-18998

Aliases

CVE-2019-18998

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-18998",
    "description": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly.",
    "id": "GSD-2019-18998"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-18998"
      ],
      "details": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly.",
      "id": "GSD-2019-18998",
      "modified": "2023-12-13T01:23:50.198610Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cybersecurity@ch.abb.com",
        "ID": "CVE-2019-18998",
        "STATE": "PUBLIC",
        "TITLE": "Asset Suite Direct Object Reference Access"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Asset Suite",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "9.0 to 9.3"
                        },
                        {
                          "version_value": "9.4 prior to 9.4.2.6"
                        },
                        {
                          "version_value": "9.5 prior to 9.5.3.2"
                        },
                        {
                          "version_value": "9.6.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ABB"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-284 Improper Access Control"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
            "refsource": "CONFIRM",
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          },
          {
            "name": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02",
            "refsource": "MISC",
            "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "The vulnerability is corrected in the following product versions:\nAsset Suite 9.4.2.6\nAsset Suite 9.5.3.2\nAsset Suite 9.6.1"
        }
      ],
      "source": {
        "advisory": "ABBVU-PGGA-2019013",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:hitachienergy:asset_suite:9.6.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.5.3.2",
                "versionStartIncluding": "9.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.4.2.6",
                "versionStartIncluding": "9.4",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "9.3.0",
                "versionStartIncluding": "9.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@ch.abb.com",
          "ID": "CVE-2019-18998"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-639"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
            },
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 4.2
        }
      },
      "lastModifiedDate": "2023-05-16T20:06Z",
      "publishedDate": "2020-02-17T19:15Z"
    }
  }
}

ICSA-20-072-02

Vulnerability from csaf_cisa - Published: 2020-03-12 00:00 - Updated: 2020-03-12 00:00

Summary

ABB Asset Suite

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker access to unauthorized information in the application by direct resource access.

Critical infrastructure sectors

Energy

Countries/areas deployed

Worldwide

Company headquarters location

Switzerland

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target this vulnerability.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "organization": "ABB",
        "summary": "reporting this vulnerability to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker access to unauthorized information in the application by direct resource access.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Energy",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Switzerland",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-072-02 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsa-20-072-02.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-072-02 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-072-02"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "ABB Asset Suite",
    "tracking": {
      "current_release_date": "2020-03-12T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-20-072-02",
      "initial_release_date": "2020-03-12T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2020-03-12T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-20-072-02 ABB Asset Suite"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 9.6 (excluding 9.4.2.6 and 9.5.3.2)",
                "product": {
                  "name": "Asset Suite: Versions 9.6 and prior excluding 9.4.2.6 and 9.5.3.2",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Asset Suite"
          }
        ],
        "category": "vendor",
        "name": "ABB"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-18998",
      "cwe": {
        "id": "CWE-639",
        "name": "Authorization Bypass Through User-Controlled Key"
      },
      "notes": [
        {
          "category": "summary",
          "text": "There is a flaw in the access controls used to limit user access to resources. If an attacker knows, or were to discover, the URL for a resource they do not have permissions to, they would be able to access the resource by browsing directly to the URL.CVE-2019-18998 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18998"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Versions 9.4.2.6, 9.5.3.2, and 9.6.1",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "For additional information and support, please contact your local ABB service organization. For contact information, see https://new.abb.com/contact-centers or visit http://www.abb.com/cybersecurity",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://new.abb.com/contact-centers"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

VAR-202002-0493

Vulnerability from variot - Updated: 2023-12-18 13:47

Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly. ABB Asset Suite Exists in a user-controlled key authentication evasion vulnerability.Information may be obtained and tampered with. ABB Asset Suite is a set of enterprise asset management solutions mainly used in the power generation industry by Swiss ABB company. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to obtain sensitive information on the website. The following products and versions are affected: ABB Asset Suite from version 9.0 to version 9.3, version 9.4 before 9.4.2.6, version 9.5 before 9.5.3.2, version 9.6.0

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202002-0493",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "asset suite",
        "scope": "eq",
        "trust": 1.4,
        "vendor": "abb",
        "version": "9.6.0"
      },
      {
        "model": "asset suite",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "hitachienergy",
        "version": "9.3.0"
      },
      {
        "model": "asset suite",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "hitachienergy",
        "version": "9.6.0"
      },
      {
        "model": "asset suite",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "hitachienergy",
        "version": "9.5.3.2"
      },
      {
        "model": "asset suite",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "hitachienergy",
        "version": "9.4"
      },
      {
        "model": "asset suite",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "hitachienergy",
        "version": "9.4.2.6"
      },
      {
        "model": "asset suite",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "hitachienergy",
        "version": "9.0.0"
      },
      {
        "model": "asset suite",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "hitachienergy",
        "version": "9.5.0"
      },
      {
        "model": "asset suite",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "abb",
        "version": "9.0 \u304b\u3089 9.3"
      },
      {
        "model": "asset suite",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "abb",
        "version": "9.4 \u4ee5\u4e0a 9.4.2.6"
      },
      {
        "model": "asset suite",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "abb",
        "version": "9.5 \u4ee5\u4e0a 9.5.3.2"
      },
      {
        "model": "asset suite",
        "scope": "gte",
        "trust": 0.6,
        "vendor": "abb",
        "version": "9.0,\u003c=9.3"
      },
      {
        "model": "asset suite",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "abb",
        "version": "9.4,\u003c9.4.2.6"
      },
      {
        "model": "asset suite",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "abb",
        "version": "9.5,\u003c9.5.3.2"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "asset suite",
        "version": "*"
      },
      {
        "model": null,
        "scope": "eq",
        "trust": 0.2,
        "vendor": "asset suite",
        "version": "9.6.0"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-18998"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:hitachienergy:asset_suite:9.6.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.5.3.2",
                "versionStartIncluding": "9.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.4.2.6",
                "versionStartIncluding": "9.4",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "9.3.0",
                "versionStartIncluding": "9.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-18998"
      }
    ]
  },
  "cve": "CVE-2019-18998",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2019-014607",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "CNVD-2020-10131",
            "impactScore": 7.8,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "IVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "1076aff9-d046-423b-9962-e26fd72b94cc",
            "impactScore": 7.8,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:P/A:N",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "id": "VHN-151400",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 4.2,
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 7.1,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2019-014607",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2019-18998",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "cybersecurity@ch.abb.com",
            "id": "CVE-2019-18998",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2019-014607",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2020-10131",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202002-866",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "1076aff9-d046-423b-9962-e26fd72b94cc",
            "trust": 0.2,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-151400",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "db": "VULHUB",
        "id": "VHN-151400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-18998"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-18998"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly. ABB Asset Suite Exists in a user-controlled key authentication evasion vulnerability.Information may be obtained and tampered with. ABB Asset Suite is a set of enterprise asset management solutions mainly used in the power generation industry by Swiss ABB company. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to obtain sensitive information on the website. The following products and versions are affected: ABB Asset Suite from version 9.0 to version 9.3, version 9.4 before 9.4.2.6, version 9.5 before 9.5.3.2, version 9.6.0",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-18998"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "db": "VULHUB",
        "id": "VHN-151400"
      }
    ],
    "trust": 2.43
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-18998",
        "trust": 3.3
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-20-072-02",
        "trust": 2.5
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202002-866",
        "trust": 0.9
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014607",
        "trust": 0.8
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.0930",
        "trust": 0.6
      },
      {
        "db": "NSFOCUS",
        "id": "47150",
        "trust": 0.6
      },
      {
        "db": "IVD",
        "id": "1076AFF9-D046-423B-9962-E26FD72B94CC",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-151400",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "db": "VULHUB",
        "id": "VHN-151400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-18998"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ]
  },
  "id": "VAR-202002-0493",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "db": "VULHUB",
        "id": "VHN-151400"
      }
    ],
    "trust": 1.5666666999999999
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:47:39.721000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Asset Suite Direct Object Reference Vulnerability",
        "trust": 0.8,
        "url": "https://search.abb.com/library/download.aspx?documentid=9akk107492a9962\u0026languagecode=en\u0026documentpartid=\u0026action=launch"
      },
      {
        "title": "Patch for ABB Asset Suite Access Control Error Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/201555"
      },
      {
        "title": "ABB Asset Suite Fixes for access control error vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=110228"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-639",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-151400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-18998"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
      },
      {
        "trust": 2.2,
        "url": "https://search.abb.com/library/download.aspx?documentid=9akk107492a9962\u0026languagecode=en\u0026documentpartid=\u0026action=launch"
      },
      {
        "trust": 2.0,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-18998"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18998"
      },
      {
        "trust": 0.6,
        "url": "http://www.nsfocus.net/vulndb/47150"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.0930/"
      },
      {
        "trust": 0.1,
        "url": "https://search.abb.com/library/download.aspx?documentid=9akk107492a9962\u0026amp;languagecode=en\u0026amp;documentpartid=\u0026amp;action=launch"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "db": "VULHUB",
        "id": "VHN-151400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-18998"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "db": "VULHUB",
        "id": "VHN-151400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-18998"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-02-17T00:00:00",
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "date": "2020-02-18T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "date": "2020-02-17T00:00:00",
        "db": "VULHUB",
        "id": "VHN-151400"
      },
      {
        "date": "2020-03-04T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "date": "2020-02-17T19:15:12.150000",
        "db": "NVD",
        "id": "CVE-2019-18998"
      },
      {
        "date": "2020-02-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-02-18T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "date": "2020-03-12T00:00:00",
        "db": "VULHUB",
        "id": "VHN-151400"
      },
      {
        "date": "2020-03-31T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-014607"
      },
      {
        "date": "2023-05-16T20:06:09.550000",
        "db": "NVD",
        "id": "CVE-2019-18998"
      },
      {
        "date": "2020-07-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "ABB Asset Suite Access Control Error Vulnerability",
    "sources": [
      {
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-10131"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ],
    "trust": 1.4
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Access control error",
    "sources": [
      {
        "db": "IVD",
        "id": "1076aff9-d046-423b-9962-e26fd72b94cc"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202002-866"
      }
    ],
    "trust": 0.8
  }
}

CNVD-2020-10131

Vulnerability from cnvd - Published: 2020-02-18

Title

ABB Asset Suite访问控制错误漏洞

Description

ABB Asset Suite是瑞士ABB公司的一套主要用于发电行业的企业资产管理解决方案。 ABB Asset Suite中的Web界面存在访问控制错误漏洞。该漏洞源于网络系统或产品未正确限制来自未授权角色的资源访问。攻击者可利用该漏洞获取网站敏感信息。

Severity

高

Patch Name

ABB Asset Suite访问控制错误漏洞的补丁

Patch Description

ABB Asset Suite是瑞士ABB公司的一套主要用于发电行业的企业资产管理解决方案。 ABB Asset Suite中的Web界面存在访问控制错误漏洞。该漏洞源于网络系统或产品未正确限制来自未授权角色的资源访问。攻击者可利用该漏洞获取网站敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://new.abb.com/

Reference

https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962&LanguageCode=en&DocumentPartId=&Action=Launch https://nvd.nist.gov/vuln/detail/CVE-2019-18998

Impacted products

Name
['ABB ABB Asset Suite >=9.0，<=9.3', 'ABB ABB Asset Suite 9.4，<9.4.2.6', 'ABB ABB Asset Suite 9.5，<9.5.3.2', 'ABB ABB Asset Suite 9.6.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-18998"
    }
  },
  "description": "ABB Asset Suite\u662f\u745e\u58ebABB\u516c\u53f8\u7684\u4e00\u5957\u4e3b\u8981\u7528\u4e8e\u53d1\u7535\u884c\u4e1a\u7684\u4f01\u4e1a\u8d44\u4ea7\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\n\nABB Asset Suite\u4e2d\u7684Web\u754c\u9762\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u9650\u5236\u6765\u81ea\u672a\u6388\u6743\u89d2\u8272\u7684\u8d44\u6e90\u8bbf\u95ee\u3002 \u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7f51\u7ad9\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://new.abb.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-10131",
  "openTime": "2020-02-18",
  "patchDescription": "ABB Asset Suite\u662f\u745e\u58ebABB\u516c\u53f8\u7684\u4e00\u5957\u4e3b\u8981\u7528\u4e8e\u53d1\u7535\u884c\u4e1a\u7684\u4f01\u4e1a\u8d44\u4ea7\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nABB Asset Suite\u4e2d\u7684Web\u754c\u9762\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u6b63\u786e\u9650\u5236\u6765\u81ea\u672a\u6388\u6743\u89d2\u8272\u7684\u8d44\u6e90\u8bbf\u95ee\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7f51\u7ad9\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ABB Asset Suite\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "ABB ABB Asset Suite \u003e=9.0\uff0c\u003c=9.3",
      "ABB ABB Asset Suite 9.4\uff0c\u003c9.4.2.6",
      "ABB ABB Asset Suite 9.5\uff0c\u003c9.5.3.2",
      "ABB ABB Asset Suite 9.6.0"
    ]
  },
  "referenceLink": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-18998",
  "serverity": "\u9ad8",
  "submitTime": "2020-02-18",
  "title": "ABB Asset Suite\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

FKIE_CVE-2019-18998

Vulnerability from fkie_nvd - Published: 2020-02-17 19:15 - Updated: 2024-11-21 04:33

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Summary

References

URL	Tags
cybersecurity@ch.abb.com	https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory
cybersecurity@ch.abb.com	https://www.us-cert.gov/ics/advisories/icsa-20-072-02	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.us-cert.gov/ics/advisories/icsa-20-072-02	Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
hitachienergy	asset_suite	*
hitachienergy	asset_suite	*
hitachienergy	asset_suite	*
hitachienergy	asset_suite	9.6.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6554BA4-B349-425B-993E-0EA57752CE2A",
              "versionEndIncluding": "9.3.0",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7004DE5-75BC-46AA-82D8-D1EC0255BBB1",
              "versionEndExcluding": "9.4.2.6",
              "versionStartIncluding": "9.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9005FA0D-504F-4016-A9FD-6F8D83DD295D",
              "versionEndExcluding": "9.5.3.2",
              "versionStartIncluding": "9.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hitachienergy:asset_suite:9.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "36DD2317-A06E-4514-B365-2B88F049B2C1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly."
    },
    {
      "lang": "es",
      "value": "Un control de acceso insuficiente en la interfaz web de ABB Asset Suite versiones 9.0 hasta 9.3, versiones 9.4 anteriores a 9.4.2.6, versiones 9.5 anteriores a 9.5.3.2 y versi\u00f3n 9.6.0, permite el acceso completo a objetos referenciados directamente. Un atacante con conocimiento de la URL de un recurso puede acceder al recurso directamente."
    }
  ],
  "id": "CVE-2019-18998",
  "lastModified": "2024-11-21T04:33:57.980",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "cybersecurity@ch.abb.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-02-17T19:15:12.150",
  "references": [
    {
      "source": "cybersecurity@ch.abb.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "source": "cybersecurity@ch.abb.com",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
    }
  ],
  "sourceIdentifier": "cybersecurity@ch.abb.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "cybersecurity@ch.abb.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-18998 (GCVE-0-2019-18998)

GHSA-WXXJ-XQH4-VHM2

GSD-2019-18998

ICSA-20-072-02

VAR-202002-0493

CNVD-2020-10131

FKIE_CVE-2019-18998

Tags

Sightings

Nomenclature