cvelistv5 - cve-2019-8961

CVE-2019-8961 (GCVE-0-2019-8961)

Vulnerability from cvelistv5 – Published: 2020-04-21 14:20 – Updated: 2024-08-04 21:31

Summary

A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition.

Severity ?

No CVSS data available.

CWE

Assigner

flexera

References

URL

Tags

https://community.flexera.com/t5/FlexNet-Publishe…

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T21:31:37.578Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-21T14:20:52",
        "orgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
        "shortName": "flexera"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "PSIRT-CNA@flexerasoftware.com",
          "ID": "CVE-2019-8961",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message",
              "refsource": "CONFIRM",
              "url": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "44d08088-2bea-4760-83a6-1e9be26b15ab",
    "assignerShortName": "flexera",
    "cveId": "CVE-2019-8961",
    "datePublished": "2020-04-21T14:20:52",
    "dateReserved": "2019-02-20T00:00:00",
    "dateUpdated": "2024-08-04T21:31:37.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flexera:flexnet_publisher:11.16.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"95A119D7-F1C2-4F65-925F-CF0EF44B58CB\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition.\"}, {\"lang\": \"es\", \"value\": \"Se ha identificado una vulnerabilidad de denegaci\\u00f3n de servicio relacionada con un agotamiento de pila (stack) en lmadmin.exe de FlexNet Publisher versi\\u00f3n 11.16.2. Dado que la funci\\u00f3n de lectura de mensajes se llama a s\\u00ed misma de forma recursiva dada una determinada condici\\u00f3n en el mensaje recibido, un atacante remoto no autenticado puede enviar mensajes repetidas veces de ese tipo para causar una condici\\u00f3n de agotamiento de pila (stack).\"}]",
      "id": "CVE-2019-8961",
      "lastModified": "2024-11-21T04:50:44.477",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-04-21T15:15:14.443",
      "references": "[{\"url\": \"https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message\", \"source\": \"PSIRT-CNA@flexerasoftware.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "PSIRT-CNA@flexerasoftware.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-674\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-8961\",\"sourceIdentifier\":\"PSIRT-CNA@flexerasoftware.com\",\"published\":\"2020-04-21T15:15:14.443\",\"lastModified\":\"2024-11-21T04:50:44.477\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition.\"},{\"lang\":\"es\",\"value\":\"Se ha identificado una vulnerabilidad de denegaci\u00f3n de servicio relacionada con un agotamiento de pila (stack) en lmadmin.exe de FlexNet Publisher versi\u00f3n 11.16.2. Dado que la funci\u00f3n de lectura de mensajes se llama a s\u00ed misma de forma recursiva dada una determinada condici\u00f3n en el mensaje recibido, un atacante remoto no autenticado puede enviar mensajes repetidas veces de ese tipo para causar una condici\u00f3n de agotamiento de pila (stack).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flexera:flexnet_publisher:11.16.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"95A119D7-F1C2-4F65-925F-CF0EF44B58CB\"}]}]}],\"references\":[{\"url\":\"https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message\",\"source\":\"PSIRT-CNA@flexerasoftware.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2020-AVI-446

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Schneider Electric Software Update (SESU) versions antérieures à V2.5.0
Schneider Electric Floating License Manager versions antérieures à V2.5.0.0

SESU est notamment utilisé dans :

EcoStruxure Augmented Operator Advisor
EcoStruxure Control Expert (anciennement Unity Pro)
EcoStruxure Hybrid Distributed Control System (DCS)
EcoStruxure Machine Expert (anciennement SoMachine)
EcoStruxure Machine Expert Basic
EcoStruxure Operator Terminal Expert
Eurotherm Data Reviewer
Eurotherm iTools
eXLhoist Configuration Software
Schneider Electric Floating License Manager
Schneider Electric License Manager
Harmony XB5SSoft
SoMachine Motion
SoMove
Versatile Software BLUE
Vijeo Designer
OsiSense XX Configuration Software
Zelio Soft 2

Schneider Electric Floating License Manager est utilisé dans :

EcoStruxure Control Expert (avec licence flottante)
EcoStruxure Control Expert - Asset Link (avec licence flottante)
EcoStruxure Hybrid Distributed Control System (DCS) (anciennement PlantStruxure PES)
EcoStruxure Machine Expert (anciennement SoMachine) (avec licence flottante)
EcoStruxure Machine Expert – Safety (avec licence flottante)
Facility Expert Online
EcoStruxure Power Monitoring Expert
EcoStruxure Power SCADA Operation (anciennement PowerSCADA Expert et PowerLogic SCADA)
SoMachine Motion (avec licence flottante)

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2020-196-02 du 10 juillet 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-196-01 du 10 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eSchneider Electric Software Update (SESU) versions ant\u00e9rieures \u00e0 V2.5.0\u003c/li\u003e \u003cli\u003eSchneider Electric Floating License Manager versions ant\u00e9rieures \u00e0 V2.5.0.0\u003c/li\u003e \u003c/ul\u003e \u003cp\u003e\u0026nbsp;\u003c/p\u003e \u003cp\u003eSESU est notamment utilis\u00e9 dans :\u003c/p\u003e \u003cul\u003e \u003cli\u003eEcoStruxure Augmented Operator Advisor\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert (anciennement Unity Pro)\u003c/li\u003e \u003cli\u003eEcoStruxure Hybrid Distributed Control System (DCS)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert (anciennement SoMachine)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert Basic\u003c/li\u003e \u003cli\u003eEcoStruxure Operator Terminal Expert\u003c/li\u003e \u003cli\u003eEurotherm Data Reviewer\u003c/li\u003e \u003cli\u003eEurotherm iTools\u003c/li\u003e \u003cli\u003eeXLhoist Configuration Software\u003c/li\u003e \u003cli\u003eSchneider Electric Floating License Manager\u003c/li\u003e \u003cli\u003eSchneider Electric License Manager\u003c/li\u003e \u003cli\u003eHarmony XB5SSoft\u003c/li\u003e \u003cli\u003eSoMachine Motion\u003c/li\u003e \u003cli\u003eSoMove\u003c/li\u003e \u003cli\u003eVersatile Software BLUE\u003c/li\u003e \u003cli\u003eVijeo Designer\u003c/li\u003e \u003cli\u003eOsiSense XX Configuration Software\u003c/li\u003e \u003cli\u003eZelio Soft 2\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eSchneider Electric Floating License Manager est utilis\u00e9 dans :\u003c/p\u003e \u003cul\u003e \u003cli\u003eEcoStruxure Control Expert (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert - Asset Link (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Hybrid Distributed Control System (DCS) (anciennement PlantStruxure PES)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert (anciennement SoMachine) (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert \u2013 Safety (avec licence flottante)\u003c/li\u003e \u003cli\u003eFacility Expert Online\u003c/li\u003e \u003cli\u003eEcoStruxure Power Monitoring Expert\u003c/li\u003e \u003cli\u003eEcoStruxure Power SCADA Operation (anciennement PowerSCADA Expert et PowerLogic SCADA)\u003c/li\u003e \u003cli\u003eSoMachine Motion (avec licence flottante)\u003c/li\u003e \u003c/ul\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-8960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-8960"
    },
    {
      "name": "CVE-2019-8961",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-8961"
    },
    {
      "name": "CVE-2020-7520",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7520"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-446",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-17T00:00:00.000000"
    },
    {
      "description": "Correction de l\u0027ann\u00e9e des cves CVE-2019-8960 et CVE-2019-8961",
      "revision_date": "2020-07-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire et un d\u00e9ni de service \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-196-02 du 10 juillet 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-02/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-196-01 du 10 juillet 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
    }
  ]
}

CERTFR-2020-AVI-446

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Schneider Electric Software Update (SESU) versions antérieures à V2.5.0
Schneider Electric Floating License Manager versions antérieures à V2.5.0.0

SESU est notamment utilisé dans :

EcoStruxure Augmented Operator Advisor
EcoStruxure Control Expert (anciennement Unity Pro)
EcoStruxure Hybrid Distributed Control System (DCS)
EcoStruxure Machine Expert (anciennement SoMachine)
EcoStruxure Machine Expert Basic
EcoStruxure Operator Terminal Expert
Eurotherm Data Reviewer
Eurotherm iTools
eXLhoist Configuration Software
Schneider Electric Floating License Manager
Schneider Electric License Manager
Harmony XB5SSoft
SoMachine Motion
SoMove
Versatile Software BLUE
Vijeo Designer
OsiSense XX Configuration Software
Zelio Soft 2

Schneider Electric Floating License Manager est utilisé dans :

EcoStruxure Control Expert (avec licence flottante)
EcoStruxure Control Expert - Asset Link (avec licence flottante)
EcoStruxure Hybrid Distributed Control System (DCS) (anciennement PlantStruxure PES)
EcoStruxure Machine Expert (anciennement SoMachine) (avec licence flottante)
EcoStruxure Machine Expert – Safety (avec licence flottante)
Facility Expert Online
EcoStruxure Power Monitoring Expert
EcoStruxure Power SCADA Operation (anciennement PowerSCADA Expert et PowerLogic SCADA)
SoMachine Motion (avec licence flottante)

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2020-196-02 du 10 juillet 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-196-01 du 10 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eSchneider Electric Software Update (SESU) versions ant\u00e9rieures \u00e0 V2.5.0\u003c/li\u003e \u003cli\u003eSchneider Electric Floating License Manager versions ant\u00e9rieures \u00e0 V2.5.0.0\u003c/li\u003e \u003c/ul\u003e \u003cp\u003e\u0026nbsp;\u003c/p\u003e \u003cp\u003eSESU est notamment utilis\u00e9 dans :\u003c/p\u003e \u003cul\u003e \u003cli\u003eEcoStruxure Augmented Operator Advisor\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert (anciennement Unity Pro)\u003c/li\u003e \u003cli\u003eEcoStruxure Hybrid Distributed Control System (DCS)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert (anciennement SoMachine)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert Basic\u003c/li\u003e \u003cli\u003eEcoStruxure Operator Terminal Expert\u003c/li\u003e \u003cli\u003eEurotherm Data Reviewer\u003c/li\u003e \u003cli\u003eEurotherm iTools\u003c/li\u003e \u003cli\u003eeXLhoist Configuration Software\u003c/li\u003e \u003cli\u003eSchneider Electric Floating License Manager\u003c/li\u003e \u003cli\u003eSchneider Electric License Manager\u003c/li\u003e \u003cli\u003eHarmony XB5SSoft\u003c/li\u003e \u003cli\u003eSoMachine Motion\u003c/li\u003e \u003cli\u003eSoMove\u003c/li\u003e \u003cli\u003eVersatile Software BLUE\u003c/li\u003e \u003cli\u003eVijeo Designer\u003c/li\u003e \u003cli\u003eOsiSense XX Configuration Software\u003c/li\u003e \u003cli\u003eZelio Soft 2\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eSchneider Electric Floating License Manager est utilis\u00e9 dans :\u003c/p\u003e \u003cul\u003e \u003cli\u003eEcoStruxure Control Expert (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert - Asset Link (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Hybrid Distributed Control System (DCS) (anciennement PlantStruxure PES)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert (anciennement SoMachine) (avec licence flottante)\u003c/li\u003e \u003cli\u003eEcoStruxure Machine Expert \u2013 Safety (avec licence flottante)\u003c/li\u003e \u003cli\u003eFacility Expert Online\u003c/li\u003e \u003cli\u003eEcoStruxure Power Monitoring Expert\u003c/li\u003e \u003cli\u003eEcoStruxure Power SCADA Operation (anciennement PowerSCADA Expert et PowerLogic SCADA)\u003c/li\u003e \u003cli\u003eSoMachine Motion (avec licence flottante)\u003c/li\u003e \u003c/ul\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-8960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-8960"
    },
    {
      "name": "CVE-2019-8961",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-8961"
    },
    {
      "name": "CVE-2020-7520",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7520"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-446",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-17T00:00:00.000000"
    },
    {
      "description": "Correction de l\u0027ann\u00e9e des cves CVE-2019-8960 et CVE-2019-8961",
      "revision_date": "2020-07-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire et un d\u00e9ni de service \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-196-02 du 10 juillet 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-02/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-196-01 du 10 juillet 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-196-01/"
    }
  ]
}

GHSA-V43V-R57X-CXJW

Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2022-05-24 17:15

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-8961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-21T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition.",
  "id": "GHSA-v43v-r57x-cxjw",
  "modified": "2022-05-24T17:15:55Z",
  "published": "2022-05-24T17:15:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8961"
    },
    {
      "type": "WEB",
      "url": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2019-8961

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-8961

Aliases

CVE-2019-8961

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-8961",
    "description": "A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition.",
    "id": "GSD-2019-8961"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-8961"
      ],
      "details": "A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition.",
      "id": "GSD-2019-8961",
      "modified": "2023-12-13T01:23:48.423721Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "PSIRT-CNA@flexerasoftware.com",
        "ID": "CVE-2019-8961",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message",
            "refsource": "CONFIRM",
            "url": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:flexera:flexnet_publisher:11.16.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "PSIRT-CNA@flexerasoftware.com",
          "ID": "CVE-2019-8961"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-674"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-07-21T11:39Z",
      "publishedDate": "2020-04-21T15:15Z"
    }
  }
}

FKIE_CVE-2019-8961

Vulnerability from fkie_nvd - Published: 2020-04-21 15:15 - Updated: 2024-11-21 04:50

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	PSIRT-CNA@flexerasoftware.com	https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message	Vendor Advisory

Impacted products

	Vendor	Product	Version
	flexera	flexnet_publisher	11.16.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:flexera:flexnet_publisher:11.16.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "95A119D7-F1C2-4F65-925F-CF0EF44B58CB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition."
    },
    {
      "lang": "es",
      "value": "Se ha identificado una vulnerabilidad de denegaci\u00f3n de servicio relacionada con un agotamiento de pila (stack) en lmadmin.exe de FlexNet Publisher versi\u00f3n 11.16.2. Dado que la funci\u00f3n de lectura de mensajes se llama a s\u00ed misma de forma recursiva dada una determinada condici\u00f3n en el mensaje recibido, un atacante remoto no autenticado puede enviar mensajes repetidas veces de ese tipo para causar una condici\u00f3n de agotamiento de pila (stack)."
    }
  ],
  "id": "CVE-2019-8961",
  "lastModified": "2024-11-21T04:50:44.477",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-21T15:15:14.443",
  "references": [
    {
      "source": "PSIRT-CNA@flexerasoftware.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message"
    }
  ],
  "sourceIdentifier": "PSIRT-CNA@flexerasoftware.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-674"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2020-33247

Vulnerability from cnvd - Published: 2020-06-15

Title

Flexera Software FlexNet Publisher lmadmin.exe资源管理错误漏洞

Description

Flexera Software FlexNet Publisher（FLEXlm）是美国Flexera Software公司的一款授权关系管理解决方案（Entitlement Relationship Management Solution）中的软件授权管理核心组件。该产品可为软件与硬件生产商提供定价、打包和定制软件授权期限。 Flexera Software FlexNet Publisher lmadmin.exe资源管理错误漏洞，该漏洞源于特定条件下消息读取功能会不断调用自身。远程攻击者可通过重复发送该类型的消息利用该漏洞导致堆栈耗尽。

Severity

中

Patch Name

Flexera Software FlexNet Publisher lmadmin.exe资源管理错误漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-8961

Impacted products

Name
Flexera Software FlexNet Publisher lmadmin.exe 11.16.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-8961"
    }
  },
  "description": "Flexera Software FlexNet Publisher\uff08FLEXlm\uff09\u662f\u7f8e\u56fdFlexera Software\u516c\u53f8\u7684\u4e00\u6b3e\u6388\u6743\u5173\u7cfb\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff08Entitlement Relationship Management Solution\uff09\u4e2d\u7684\u8f6f\u4ef6\u6388\u6743\u7ba1\u7406\u6838\u5fc3\u7ec4\u4ef6\u3002\u8be5\u4ea7\u54c1\u53ef\u4e3a\u8f6f\u4ef6\u4e0e\u786c\u4ef6\u751f\u4ea7\u5546\u63d0\u4f9b\u5b9a\u4ef7\u3001\u6253\u5305\u548c\u5b9a\u5236\u8f6f\u4ef6\u6388\u6743\u671f\u9650\u3002\n\nFlexera Software FlexNet Publisher lmadmin.exe\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7279\u5b9a\u6761\u4ef6\u4e0b\u6d88\u606f\u8bfb\u53d6\u529f\u80fd\u4f1a\u4e0d\u65ad\u8c03\u7528\u81ea\u8eab\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u91cd\u590d\u53d1\u9001\u8be5\u7c7b\u578b\u7684\u6d88\u606f\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u5806\u6808\u8017\u5c3d\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8961-remediated-in-FlexNet-Publisher/ta-p/124601/jump-to/first-unread-message",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-33247",
  "openTime": "2020-06-15",
  "patchDescription": "Flexera Software FlexNet Publisher\uff08FLEXlm\uff09\u662f\u7f8e\u56fdFlexera Software\u516c\u53f8\u7684\u4e00\u6b3e\u6388\u6743\u5173\u7cfb\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff08Entitlement Relationship Management Solution\uff09\u4e2d\u7684\u8f6f\u4ef6\u6388\u6743\u7ba1\u7406\u6838\u5fc3\u7ec4\u4ef6\u3002\u8be5\u4ea7\u54c1\u53ef\u4e3a\u8f6f\u4ef6\u4e0e\u786c\u4ef6\u751f\u4ea7\u5546\u63d0\u4f9b\u5b9a\u4ef7\u3001\u6253\u5305\u548c\u5b9a\u5236\u8f6f\u4ef6\u6388\u6743\u671f\u9650\u3002\r\n\r\nFlexera Software FlexNet Publisher lmadmin.exe\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7279\u5b9a\u6761\u4ef6\u4e0b\u6d88\u606f\u8bfb\u53d6\u529f\u80fd\u4f1a\u4e0d\u65ad\u8c03\u7528\u81ea\u8eab\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u91cd\u590d\u53d1\u9001\u8be5\u7c7b\u578b\u7684\u6d88\u606f\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u5806\u6808\u8017\u5c3d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Flexera Software FlexNet Publisher lmadmin.exe\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Flexera Software FlexNet Publisher lmadmin.exe 11.16.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-8961",
  "serverity": "\u4e2d",
  "submitTime": "2020-04-22",
  "title": "Flexera Software FlexNet Publisher lmadmin.exe\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-8961 (GCVE-0-2019-8961)

CERTFR-2020-AVI-446

Solution

CERTFR-2020-AVI-446

Solution

GHSA-V43V-R57X-CXJW

GSD-2019-8961

FKIE_CVE-2019-8961

CNVD-2020-33247

Tags

Sightings

Nomenclature