Details of VAR-201308-0294

ID

VAR-201308-0294

CVE

CVE-2013-5022

TITLE

National Instruments LabWindows/CVI and LabVIEW Used in products such as cw3dgrph.ocx Vulnerable to absolute path traversal

Trust: 0.8

sources: JVNDB: JVNDB-2013-003660

DESCRIPTION

Absolute path traversal vulnerability in the 3D Graph ActiveX control in cw3dgrph.ocx in National Instruments LabWindows/CVI 2012 SP1 and earlier, LabVIEW 2012 SP1 and earlier, and other products allows remote attackers to create and execute arbitrary files via a full pathname in an argument to the ExportStyle method, in conjunction with file content in the (1) Caption or (2) FormatString property value. Attackers can exploit this issue to create and execute arbitrary files in the context of the application (typically Internet Explorer) that is using the ActiveX control, which may aid in a remote code execution. The following products are affected: LabVIEW 2012 and prior LabWindows/CVI 2012 and prior Measurement Studio 2013 and prior TestStand 2012 and prior

Trust: 1.89

sources: NVD: CVE-2013-5022 // JVNDB: JVNDB-2013-003660 // BID: 61828

AFFECTED PRODUCTS

vendor:	ni	model:	labview	scope:	lte	version:	2012	Trust: 1.0
vendor:	ni	model:	teststand	scope:	lte	version:	2012	Trust: 1.0
vendor:	ni	model:	labwindows	scope:	lte	version:	2012	Trust: 1.0
vendor:	ni	model:	measurementstudio	scope:	lte	version:	2013	Trust: 1.0
vendor:	national instruments	model:	labview	scope:	-	version:	-	Trust: 0.8
vendor:	national instruments	model:	labwindows/cvi	scope:	-	version:	-	Trust: 0.8
vendor:	ni	model:	teststand	scope:	eq	version:	2012	Trust: 0.6
vendor:	ni	model:	measurementstudio	scope:	eq	version:	2013	Trust: 0.6
vendor:	ni	model:	labwindows	scope:	eq	version:	2012	Trust: 0.6
vendor:	ni	model:	labview	scope:	eq	version:	2012	Trust: 0.6

sources: JVNDB: JVNDB-2013-003660 // CNNVD: CNNVD-201308-067 // NVD: CVE-2013-5022

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5022
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-5022
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201308-067
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2013-5022
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2013-5022
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

sources: JVNDB: JVNDB-2013-003660 // CNNVD: CNNVD-201308-067 // NVD: CVE-2013-5022

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2013-003660 // NVD: CVE-2013-5022

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201308-067

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201308-067

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003660

PATCH

title:	How Does NI Security Update 67L8L0QW for cw3dgrph.ocx Affect Me?	url:	http://digital.ni.com/public.nsf/websearch/C4619A438F7E78E486257B360050BD7D?OpenDocument	Trust: 0.8
title:	How Do The NI Q2 2013 Security Updates Affect Me?	url:	http://digital.ni.com/public.nsf/websearch/507DEC9DA57A708186257B3600512623?OpenDocument	Trust: 0.8
title:	NI Q2 2013セキュリティアップデートについて	url:	http://digital.ni.com/public.nsf/websearchj/A13EF8E8AE2CFAA886257B750076EC0B?OpenDocument	Trust: 0.8
title:	cw3dgrph.ocx用NIセキュリティアップデート67L8L0QWについて	url:	http://digital.ni.com/public.nsf/websearchj/73FC56053F95119A86257B6C0073CC03?OpenDocument	Trust: 0.8

sources: JVNDB: JVNDB-2013-003660

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5022	Trust: 2.7
db:	JVNDB	id:	JVNDB-2013-003660	Trust: 0.8
db:	CNNVD	id:	CNNVD-201308-067	Trust: 0.6
db:	BID	id:	61828	Trust: 0.3

sources: BID: 61828 // JVNDB: JVNDB-2013-003660 // CNNVD: CNNVD-201308-067 // NVD: CVE-2013-5022

REFERENCES

url:	http://digital.ni.com/public.nsf/websearch/507dec9da57a708186257b3600512623?opendocument	Trust: 1.9
url:	http://digital.ni.com/public.nsf/websearch/c4619a438f7e78e486257b360050bd7d?opendocument	Trust: 1.9
url:	http://digital.ni.com/public.nsf/allkb/782e4f31442d833186257bd3004aeb47?opendocument	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5022	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5022	Trust: 0.8
url:	http://support.microsoft.com/kb/240797	Trust: 0.3

sources: BID: 61828 // JVNDB: JVNDB-2013-003660 // CNNVD: CNNVD-201308-067 // NVD: CVE-2013-5022

CREDITS

Andrea Micalizzi aka rgod working with Hewlett Packard's Zero Day Initiative.

Trust: 0.3

sources: BID: 61828

SOURCES

db:	BID	id:	61828
db:	JVNDB	id:	JVNDB-2013-003660
db:	CNNVD	id:	CNNVD-201308-067
db:	NVD	id:	CVE-2013-5022

LAST UPDATE DATE

2024-08-14T13:58:11.857000+00:00

SOURCES UPDATE DATE

db:	BID	id:	61828	date:	2015-03-19T08:44:00
db:	JVNDB	id:	JVNDB-2013-003660	date:	2013-08-08T00:00:00
db:	CNNVD	id:	CNNVD-201308-067	date:	2013-08-07T00:00:00
db:	NVD	id:	CVE-2013-5022	date:	2013-09-18T03:30:09.033

SOURCES RELEASE DATE

db:	BID	id:	61828	date:	2013-08-19T00:00:00
db:	JVNDB	id:	JVNDB-2013-003660	date:	2013-08-08T00:00:00
db:	CNNVD	id:	CNNVD-201308-067	date:	2013-08-07T00:00:00
db:	NVD	id:	CVE-2013-5022	date:	2013-08-06T20:55:05.413