CVE-2019-6525

Published: Apr 11, 2019Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

AVEVA Wonderware System Platform 2017 Update 2 and prior uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to obtain the credentials for this account.

Affected (4)

Products: Aveva: Wonderware System Platform

1 product

Wonderware System Platform

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Aveva Wonderware System Platform	Before 2017
Aveva Wonderware System Platform	Version 2017
Aveva Wonderware System Platform	Version 2017 update_1
Aveva Wonderware System Platform	Version 2017 update_2

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (4)

https://ics-cert.us-cert.gov/advisories/ICSA-19-029-03

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec135.pdf

Source: ics-cert@hq.dhs.gov

Vendor Advisory

https://ics-cert.us-cert.gov/advisories/ICSA-19-029-03

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec135.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.