ID

VAR-201109-0174


CVE

CVE-2011-3502


TITLE

Cogent DataHub of Web Vulnerability in server executable code acquisition

Trust: 0.8

sources: JVNDB: JVNDB-2011-002267

DESCRIPTION

The web server in Cogent DataHub 7.1.1.63 and earlier allows remote attackers to obtain the source code of executable files via a request with a trailing (1) space or (2) %2e (encoded dot). Cogent DataHub is software for SCADA and automation. The Cogent DataHub server/service uses a custom web server that listens on port 80. The software does not handle the directory traversal sequence correctly. An attacker can exploit the vulnerability to download files on the server. Cogent DataHub is prone to a directory-traversal vulnerability and an information-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting the issues may allow an attacker to obtain sensitive information that could aid in further attacks. Cogent DataHub 7.1.1.63 is vulnerable; other versions may also be affected

Trust: 2.97

sources: NVD: CVE-2011-3502 // JVNDB: JVNDB-2011-002267 // CNVD: CNVD-2011-3671 // CNVD: CNVD-2011-3672 // BID: 49610

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.2

sources: CNVD: CNVD-2011-3671 // CNVD: CNVD-2011-3672

AFFECTED PRODUCTS

vendor:cogentdatahubmodel:cogent datahubscope:eqversion:7.0

Trust: 1.6

vendor:cogentdatahubmodel:cogent datahubscope:eqversion:7.1.1

Trust: 1.6

vendor:cogentdatahubmodel:cogent datahubscope:eqversion:7.1.1.63

Trust: 1.6

vendor:cogentdatahubmodel:cogent datahubscope:eqversion:7.1.0

Trust: 1.6

vendor:cogentdatahubmodel:cogent datahubscope:eqversion:7.0.2

Trust: 1.6

vendor:cogentmodel:real-time systems cogent datahubscope:eqversion:7.1.1.63

Trust: 1.5

vendor:cogent real timemodel:datahubscope:lteversion:7.1.1.63

Trust: 0.8

vendor:cogentmodel:real-time systems opc datahubscope:eqversion:6.0.2

Trust: 0.3

vendor:cogentmodel:real-time systems opc datahubscope:eqversion:6

Trust: 0.3

vendor:cogentmodel:real-time systems cogent datahubscope:eqversion:7

Trust: 0.3

vendor:cogentmodel:real-time systems cascade datahubscope:eqversion:6

Trust: 0.3

vendor:cogentmodel:real-time systems opc datahubscope:neversion:6.4.20

Trust: 0.3

vendor:cogentmodel:real-time systems cogent datahubscope:neversion:7.1.2

Trust: 0.3

vendor:cogentmodel:real-time systems cascade datahubscope:neversion:6.4.20

Trust: 0.3

sources: CNVD: CNVD-2011-3671 // CNVD: CNVD-2011-3672 // BID: 49610 // JVNDB: JVNDB-2011-002267 // CNNVD: CNNVD-201109-275 // NVD: CVE-2011-3502

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-3502
value: MEDIUM

Trust: 1.0

NVD: CVE-2011-3502
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201109-275
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2011-3502
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2011-002267 // CNNVD: CNNVD-201109-275 // NVD: CVE-2011-3502

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2011-002267 // NVD: CVE-2011-3502

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201109-184 // CNNVD: CNNVD-201109-275

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201109-184

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-002267

PATCH

title:Top Pageurl:http://www.cogentdatahub.com/

Trust: 0.8

title:Top Pageurl:http://www.cogentdatahub.com/jp/

Trust: 0.8

sources: JVNDB: JVNDB-2011-002267

EXTERNAL IDS

db:NVDid:CVE-2011-3502

Trust: 2.7

db:ICS CERT ALERTid:ICS-ALERT-11-256-03

Trust: 2.4

db:BIDid:49610

Trust: 2.1

db:ICS CERTid:ICSA-11-280-01

Trust: 1.1

db:JVNDBid:JVNDB-2011-002267

Trust: 0.8

db:CNVDid:CNVD-2011-3671

Trust: 0.6

db:CNVDid:CNVD-2011-3672

Trust: 0.6

db:CNNVDid:CNNVD-201109-184

Trust: 0.6

db:CNNVDid:CNNVD-201109-275

Trust: 0.6

sources: CNVD: CNVD-2011-3671 // CNVD: CNVD-2011-3672 // BID: 49610 // JVNDB: JVNDB-2011-002267 // CNNVD: CNNVD-201109-184 // CNNVD: CNNVD-201109-275 // NVD: CVE-2011-3502

REFERENCES

url:http://www.us-cert.gov/control_systems/pdf/ics-alert-11-256-03.pdf

Trust: 2.4

url:http://aluigi.altervista.org/adv/cogent_4-adv.txt

Trust: 2.2

url:http://www.us-cert.gov/control_systems/pdf/icsa-11-280-01.pdf

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3502

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3502

Trust: 0.8

url:http://aluigi.altervista.org/adv/cogent_2-adv.txt

Trust: 0.6

url:http://www.securityfocus.com/bid/49610

Trust: 0.6

url:http://www.cogentdatahub.com/products/cogent_datahub.html

Trust: 0.3

url:http://aluigi.org/mytoolz/mydown.zip

Trust: 0.3

sources: CNVD: CNVD-2011-3671 // CNVD: CNVD-2011-3672 // BID: 49610 // JVNDB: JVNDB-2011-002267 // CNNVD: CNNVD-201109-184 // CNNVD: CNNVD-201109-275 // NVD: CVE-2011-3502

CREDITS

Luigi Auriemma

Trust: 0.9

sources: BID: 49610 // CNNVD: CNNVD-201109-184

SOURCES

db:CNVDid:CNVD-2011-3671
db:CNVDid:CNVD-2011-3672
db:BIDid:49610
db:JVNDBid:JVNDB-2011-002267
db:CNNVDid:CNNVD-201109-184
db:CNNVDid:CNNVD-201109-275
db:NVDid:CVE-2011-3502

LAST UPDATE DATE

2024-11-23T22:08:58.891000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2011-3671date:2011-09-15T00:00:00
db:CNVDid:CNVD-2011-3672date:2011-09-15T00:00:00
db:BIDid:49610date:2011-10-11T16:20:00
db:JVNDBid:JVNDB-2011-002267date:2011-09-29T00:00:00
db:CNNVDid:CNNVD-201109-184date:2011-09-15T00:00:00
db:CNNVDid:CNNVD-201109-275date:2011-09-19T00:00:00
db:NVDid:CVE-2011-3502date:2024-11-21T01:30:36.870

SOURCES RELEASE DATE

db:CNVDid:CNVD-2011-3671date:2011-09-15T00:00:00
db:CNVDid:CNVD-2011-3672date:2011-09-15T00:00:00
db:BIDid:49610date:2011-09-13T00:00:00
db:JVNDBid:JVNDB-2011-002267date:2011-09-29T00:00:00
db:CNNVDid:CNNVD-201109-184date:1900-01-01T00:00:00
db:CNNVDid:CNNVD-201109-275date:2011-09-19T00:00:00
db:NVDid:CVE-2011-3502date:2011-09-16T17:26:14.933