ID
VAR-201405-0535
CVE
CVE-2014-3789
TITLE
Cogent Real-Time Systems DataHub 'GetPermissions.asp' Remote code execution vulnerability
Trust: 1.3
sources:
IVD: 7d7a6cd1-463f-11e9-b51a-000c29342cb1 //
IVD: f6f85540-2351-11e6-abef-000c29c66e3d //
CNVD: CNVD-2014-03106 //
BID: 67486
DESCRIPTION
GetPermissions.asp in Cogent Real-Time Systems Cogent DataHub before 7.3.5 allows remote attackers to execute arbitrary commands via unspecified vectors. Authentication is not required to exploit this vulnerability. The specific flaw exists within the GetPermissions.asp component of the web server. Authentication is not required to exploit this vulnerability.The specific flaw exists within the EvalExpresssion method, which is available remotely through the AJAX facility. Using this method, it is possible to execute arbitrary Gamma code. Cogent DataHub is software for SCADA and automation. Versions prior to Cogent DataHub 7.3.5 are vulnerable
Trust: 4.32
sources:
NVD: CVE-2014-3789 //
JVNDB: JVNDB-2014-002621 //
ZDI: ZDI-14-136 //
ZDI: ZDI-15-438 //
CNVD: CNVD-2014-03106 //
BID: 67486 //
BID: 76614 //
IVD: 7d7a6cd1-463f-11e9-b51a-000c29342cb1 //
IVD: f6f85540-2351-11e6-abef-000c29c66e3d
IOT TAXONOMY
| category: | ['ICS'] | sub_category: | - | Trust: 1.0 |
sources:
IVD: 7d7a6cd1-463f-11e9-b51a-000c29342cb1 //
IVD: f6f85540-2351-11e6-abef-000c29c66e3d //
CNVD: CNVD-2014-03106
AFFECTED PRODUCTS
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.3.1 | Trust: 1.9 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.3.0 | Trust: 1.9 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.2.2 | Trust: 1.9 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.1.2 | Trust: 1.9 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.1.1.63 | Trust: 1.9 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.1.1 | Trust: 1.9 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.1.0 | Trust: 1.9 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.0.2 | Trust: 1.9 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.0 | Trust: 1.9 |
| vendor: | cogent real time | model: | datahub | scope: | - | version: | - | Trust: 1.4 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.3.3 | Trust: 1.0 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.3.2 | Trust: 1.0 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | lte | version: | 7.3.4 | Trust: 1.0 |
| vendor: | cogent real time | model: | datahub | scope: | lt | version: | 7.3.5 | Trust: 0.8 |
| vendor: | cogent | model: | real-time systems cogent datahub | scope: | - | version: | - | Trust: 0.6 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.3.4 | Trust: 0.6 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.0 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.0.2 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.1.0 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.1.1 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.1.1.63 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.1.2 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.2.2 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.3.0 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.3.1 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.3.2 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | 7.3.3 | Trust: 0.4 |
| vendor: | cogent datahub | model: | - | scope: | eq | version: | * | Trust: 0.4 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7.3.8 | Trust: 0.3 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | eq | version: | 7 | Trust: 0.3 |
| vendor: | cogentdatahub | model: | cogent datahub | scope: | ne | version: | 7.3.9 | Trust: 0.3 |
sources:
IVD: 7d7a6cd1-463f-11e9-b51a-000c29342cb1 //
IVD: f6f85540-2351-11e6-abef-000c29c66e3d //
ZDI: ZDI-14-136 //
ZDI: ZDI-15-438 //
CNVD: CNVD-2014-03106 //
BID: 76614 //
JVNDB: JVNDB-2014-002621 //
CNNVD: CNNVD-201405-459 //
NVD: CVE-2014-3789
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
sources:
IVD: 7d7a6cd1-463f-11e9-b51a-000c29342cb1 //
IVD: f6f85540-2351-11e6-abef-000c29c66e3d //
ZDI: ZDI-14-136 //
ZDI: ZDI-15-438 //
CNVD: CNVD-2014-03106 //
JVNDB: JVNDB-2014-002621 //
CNNVD: CNNVD-201405-459 //
NVD: CVE-2014-3789
PROBLEMTYPE DATA
| problemtype: | CWE-94 | Trust: 1.8 |
sources:
JVNDB: JVNDB-2014-002621 //
NVD: CVE-2014-3789
THREAT TYPE
network
Trust: 0.6
sources:
BID: 67486 //
BID: 76614
TYPE
Code injection
Trust: 1.0
sources:
IVD: 7d7a6cd1-463f-11e9-b51a-000c29342cb1 //
IVD: f6f85540-2351-11e6-abef-000c29c66e3d //
CNNVD: CNNVD-201405-459
CONFIGURATIONS
sources:
JVNDB: JVNDB-2014-002621
PATCH
| title: | Release Notes | url: | http://cogentdatahub.com/ReleaseNotes.html | Trust: 1.5 |
| title: | Cogent Real-Time Systems has issued an update to correct this vulnerability. | url: | https://ics-cert.us-cert.gov/advisories/ICSA-15-246-01 | Trust: 0.7 |
| title: | Cogent Real-Time Systems DataHub 'GetPermissions.asp' patch for remote code execution vulnerability | url: | https://www.cnvd.org.cn/patchInfo/show/45728 | Trust: 0.6 |
sources:
ZDI: ZDI-14-136 //
ZDI: ZDI-15-438 //
CNVD: CNVD-2014-03106 //
JVNDB: JVNDB-2014-002621
EXTERNAL IDS
| db: | NVD | id: | CVE-2014-3789 | Trust: 5.4 |
| db: | ZDI | id: | ZDI-14-136 | Trust: 4.0 |
| db: | BID | id: | 67486 | Trust: 2.5 |
| db: | ICS CERT | id: | ICSA-15-246-01 | Trust: 1.3 |
| db: | ICS CERT | id: | ICSA-14-198-01 | Trust: 1.1 |
| db: | CNVD | id: | CNVD-2014-03106 | Trust: 1.0 |
| db: | CNNVD | id: | CNNVD-201405-459 | Trust: 1.0 |
| db: | JVNDB | id: | JVNDB-2014-002621 | Trust: 0.8 |
| db: | ZDI_CAN | id: | ZDI-CAN-2160 | Trust: 0.7 |
| db: | ZDI_CAN | id: | ZDI-CAN-2981 | Trust: 0.7 |
| db: | ZDI | id: | ZDI-15-438 | Trust: 0.7 |
| db: | BID | id: | 76614 | Trust: 0.3 |
| db: | IVD | id: | 7D7A6CD1-463F-11E9-B51A-000C29342CB1 | Trust: 0.2 |
| db: | IVD | id: | F6F85540-2351-11E6-ABEF-000C29C66E3D | Trust: 0.2 |
sources:
IVD: 7d7a6cd1-463f-11e9-b51a-000c29342cb1 //
IVD: f6f85540-2351-11e6-abef-000c29c66e3d //
ZDI: ZDI-14-136 //
ZDI: ZDI-15-438 //
CNVD: CNVD-2014-03106 //
BID: 67486 //
BID: 76614 //
JVNDB: JVNDB-2014-002621 //
CNNVD: CNNVD-201405-459 //
NVD: CVE-2014-3789
REFERENCES
| url: | http://www.zerodayinitiative.com/advisories/zdi-14-136/ | Trust: 3.3 |
| url: | http://cogentdatahub.com/releasenotes.html | Trust: 2.6 |
| url: | https://ics-cert.us-cert.gov/advisories/icsa-15-246-01 | Trust: 2.0 |
| url: | http://www.securityfocus.com/bid/67486 | Trust: 1.6 |
| url: | https://ics-cert.us-cert.gov/advisories/icsa-14-198-01 | Trust: 1.1 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3789 | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3789 | Trust: 0.8 |
| url: | http://www.cogentdatahub.com/index.html | Trust: 0.3 |
| url: | http://cogentdatahub.com/index.html | Trust: 0.3 |
sources:
ZDI: ZDI-14-136 //
ZDI: ZDI-15-438 //
CNVD: CNVD-2014-03106 //
BID: 67486 //
BID: 76614 //
JVNDB: JVNDB-2014-002621 //
CNNVD: CNNVD-201405-459 //
NVD: CVE-2014-3789
CREDITS
John Leitch
Trust: 1.0
sources:
ZDI: ZDI-14-136 //
BID: 67486
SOURCES
| db: | IVD | id: | 7d7a6cd1-463f-11e9-b51a-000c29342cb1 |
| db: | IVD | id: | f6f85540-2351-11e6-abef-000c29c66e3d |
| db: | ZDI | id: | ZDI-14-136 |
| db: | ZDI | id: | ZDI-15-438 |
| db: | CNVD | id: | CNVD-2014-03106 |
| db: | BID | id: | 67486 |
| db: | BID | id: | 76614 |
| db: | JVNDB | id: | JVNDB-2014-002621 |
| db: | CNNVD | id: | CNNVD-201405-459 |
| db: | NVD | id: | CVE-2014-3789 |
LAST UPDATE DATE
2024-11-23T23:09:23.057000+00:00
SOURCES UPDATE DATE
| db: | ZDI | id: | ZDI-14-136 | date: | 2014-05-19T00:00:00 |
| db: | ZDI | id: | ZDI-15-438 | date: | 2015-09-08T00:00:00 |
| db: | CNVD | id: | CNVD-2014-03106 | date: | 2014-05-22T00:00:00 |
| db: | BID | id: | 67486 | date: | 2015-03-19T09:10:00 |
| db: | BID | id: | 76614 | date: | 2015-09-03T00:00:00 |
| db: | JVNDB | id: | JVNDB-2014-002621 | date: | 2014-07-22T00:00:00 |
| db: | CNNVD | id: | CNNVD-201405-459 | date: | 2014-05-26T00:00:00 |
| db: | NVD | id: | CVE-2014-3789 | date: | 2024-11-21T02:08:50.237 |
SOURCES RELEASE DATE
| db: | IVD | id: | 7d7a6cd1-463f-11e9-b51a-000c29342cb1 | date: | 2014-05-22T00:00:00 |
| db: | IVD | id: | f6f85540-2351-11e6-abef-000c29c66e3d | date: | 2014-05-22T00:00:00 |
| db: | ZDI | id: | ZDI-14-136 | date: | 2014-05-19T00:00:00 |
| db: | ZDI | id: | ZDI-15-438 | date: | 2015-09-08T00:00:00 |
| db: | CNVD | id: | CNVD-2014-03106 | date: | 2014-05-21T00:00:00 |
| db: | BID | id: | 67486 | date: | 2014-05-19T00:00:00 |
| db: | BID | id: | 76614 | date: | 2015-09-03T00:00:00 |
| db: | JVNDB | id: | JVNDB-2014-002621 | date: | 2014-05-26T00:00:00 |
| db: | CNNVD | id: | CNNVD-201405-459 | date: | 2014-05-26T00:00:00 |
| db: | NVD | id: | CVE-2014-3789 | date: | 2014-05-22T23:55:03.767 |