Sign-up

ID

VAR-201702-0674


CVE

CVE-2017-5153


TITLE

OSIsoft PI Coresight and PI Web API Information Disclosure Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2017-00496 // CNNVD: CNNVD-201701-177

DESCRIPTION

An issue was discovered in OSIsoft PI Coresight 2016 R2 and earlier versions, and PI Web API 2016 R2 when deployed using the PI AF Services 2016 R2 integrated install kit. An information exposure through server log files vulnerability has been identified, which may allow service account passwords to become exposed for the affected services, potentially leading to unauthorized shutdown of the affected PI services as well as potential reuse of domain credentials. OSIsoft PI Coresight and PI Web API Contains an information disclosure vulnerability.Information may be disclosed via server log files. OSIsoft PI Coresight is a web-based tool for secure access to PI System data. An attacker can exploit this issue to obtain sensitive information and cause a denial-of-service condition

Trust: 2.61

sources: NVD: CVE-2017-5153 // JVNDB: JVNDB-2017-002264 // CNVD: CNVD-2017-00496 // BID: 95355 // IVD: e7887e65-5724-47c1-8179-e1966e9bf69c

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e7887e65-5724-47c1-8179-e1966e9bf69c // CNVD: CNVD-2017-00496

AFFECTED PRODUCTS

vendor:osisoftmodel:pi web apiscope:eqversion:2016-r2

Trust: 1.6

vendor:osisoftmodel:pi coresightscope:lteversion:2016-r2

Trust: 1.0

vendor:osisoftmodel:pi coresightscope:eqversion:20160

Trust: 0.9

vendor:osisoftmodel:pi coresightscope:eqversion:20150

Trust: 0.9

vendor:osisoftmodel:pi coresightscope:eqversion:20140

Trust: 0.9

vendor:osisoftmodel:pi coresightscope:eqversion:20130

Trust: 0.9

vendor:osisoftmodel:pi coresightscope:eqversion:20120

Trust: 0.9

vendor:osisoftmodel:pi coresightscope:eqversion:1.0

Trust: 0.9

vendor:osisoftmodel:pi coresightscope:lteversion:2016 r2

Trust: 0.8

vendor:osisoftmodel:pi web apiscope:eqversion:2016 r2 (pi af services 2016 r2 integrated install kit)

Trust: 0.8

vendor:osisoftmodel:pi web api r2scope:eqversion:2016

Trust: 0.6

vendor:osisoftmodel:pi coresightscope:eqversion:2016-r2

Trust: 0.6

vendor:osisoftmodel:pi web api r2scope:eqversion:20160

Trust: 0.3

vendor:pi coresightmodel: - scope:eqversion:*

Trust: 0.2

vendor:pi web apimodel:2016-r2scope: - version: -

Trust: 0.2

sources: IVD: e7887e65-5724-47c1-8179-e1966e9bf69c // CNVD: CNVD-2017-00496 // BID: 95355 // JVNDB: JVNDB-2017-002264 // CNNVD: CNNVD-201701-177 // NVD: CVE-2017-5153

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-5153
value: HIGH

Trust: 1.0

NVD: CVE-2017-5153
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-00496
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201701-177
value: LOW

Trust: 0.6

IVD: e7887e65-5724-47c1-8179-e1966e9bf69c
value: LOW

Trust: 0.2

nvd@nist.gov: CVE-2017-5153
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-00496
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e7887e65-5724-47c1-8179-e1966e9bf69c
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-5153
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: e7887e65-5724-47c1-8179-e1966e9bf69c // CNVD: CNVD-2017-00496 // JVNDB: JVNDB-2017-002264 // CNNVD: CNNVD-201701-177 // NVD: CVE-2017-5153

PROBLEMTYPE DATA

problemtype:CWE-532

Trust: 1.8

sources: JVNDB: JVNDB-2017-002264 // NVD: CVE-2017-5153

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201701-177

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201701-177

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-002264

PATCH
title:Top Pageurl:http://www.osisoft.com/Default.aspx
Trust: 0.8
title:Patch for OSIsoft PI Coresight and PI Web API Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/88081
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-00496 // 
            
            
            
            JVNDB: JVNDB-2017-002264

EXTERNAL IDS
db:NVDid:CVE-2017-5153
Trust: 3.5
db:BIDid:95355
Trust: 2.5
db:ICS CERTid:ICSA-17-010-01
Trust: 1.9
db:CNVDid:CNVD-2017-00496
Trust: 0.8
db:CNNVDid:CNNVD-201701-177
Trust: 0.8
db:ICS CERTid:ICSA-17-010-01A
Trust: 0.8
db:JVNDBid:JVNDB-2017-002264
Trust: 0.8
db:IVDid:E7887E65-5724-47C1-8179-E1966E9BF69C
Trust: 0.2
sources:
            
            
            IVD: e7887e65-5724-47c1-8179-e1966e9bf69c // 
            
            
            
            CNVD: CNVD-2017-00496 // 
            
            
            
            BID: 95355 // 
            
            
            
            JVNDB: JVNDB-2017-002264 // 
            
            
            
            CNNVD: CNNVD-201701-177 // 
            
            
            
            NVD: CVE-2017-5153

REFERENCES
url:http://www.securityfocus.com/bid/95355
Trust: 2.2
url:https://ics-cert.us-cert.gov/advisories/icsa-17-010-01
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5153
Trust: 0.8
url:https://ics-cert.us-cert.gov/advisories/icsa-17-010-01a
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-5153
Trust: 0.8
url:https://www.osisoft.com/default.aspx
Trust: 0.3
url:https://ics-cert.us-cert.gov/advisories/icsa-17-010-01 
Trust: 0.3
url:https://techsupport.osisoft.com/troubleshooting/alerts/al00312 
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-00496 // 
            
            
            
            BID: 95355 // 
            
            
            
            JVNDB: JVNDB-2017-002264 // 
            
            
            
            CNNVD: CNNVD-201701-177 // 
            
            
            
            NVD: CVE-2017-5153

CREDITS
Vint Maggs from Savannah River Nuclear Solutions
Trust: 0.9
sources:
            
            
            BID: 95355 // 
            
            
            
            CNNVD: CNNVD-201701-177

SOURCES
db:IVDid:e7887e65-5724-47c1-8179-e1966e9bf69c
db:CNVDid:CNVD-2017-00496
db:BIDid:95355
db:JVNDBid:JVNDB-2017-002264
db:CNNVDid:CNNVD-201701-177
db:NVDid:CVE-2017-5153

LAST UPDATE DATE
2024-11-23T23:12:33.091000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-00496date:2017-01-17T00:00:00
db:BIDid:95355date:2017-01-12T00:14:00
db:JVNDBid:JVNDB-2017-002264date:2017-04-06T00:00:00
db:CNNVDid:CNNVD-201701-177date:2017-01-12T00:00:00
db:NVDid:CVE-2017-5153date:2024-11-21T03:27:09.733

SOURCES RELEASE DATE
db:IVDid:e7887e65-5724-47c1-8179-e1966e9bf69cdate:2017-01-17T00:00:00
db:CNVDid:CNVD-2017-00496date:2017-01-17T00:00:00
db:BIDid:95355date:2017-01-10T00:00:00
db:JVNDBid:JVNDB-2017-002264date:2017-04-06T00:00:00
db:CNNVDid:CNNVD-201701-177date:2017-01-12T00:00:00
db:NVDid:CVE-2017-5153date:2017-02-13T21:59:02.690