Sign-up

ID

VAR-201708-1388


CVE

CVE-2017-7926


TITLE

OSIsoft PI Web API Cross-Site Request Forgery Vulnerability

Trust: 1.4

sources: IVD: e1bb21c8-8650-4e7f-a184-0a29a764df9f // CNVD: CNVD-2017-16356 // CNNVD: CNNVD-201704-1044

DESCRIPTION

A Cross-Site Request Forgery issue was discovered in OSIsoft PI Web API versions prior to 2017 (1.9.0). The vulnerability allows cross-site request forgery (CSRF) attacks to occur when an otherwise-unauthorized cross-site request is sent from a browser the server has previously authenticated. OSIsoft PI Web API is a product for accessing PI system data. The program failed to properly validate the HTTP request. An attacker could exploit the vulnerability to perform certain unauthorized operations and access the affected application. Other attacks are also possible

Trust: 2.61

sources: NVD: CVE-2017-7926 // JVNDB: JVNDB-2017-007335 // CNVD: CNVD-2017-16356 // BID: 99058 // IVD: e1bb21c8-8650-4e7f-a184-0a29a764df9f

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e1bb21c8-8650-4e7f-a184-0a29a764df9f // CNVD: CNVD-2017-16356

AFFECTED PRODUCTS

vendor:osisoftmodel:pi web apiscope:eqversion:1.8

Trust: 1.6

vendor:osisoftmodel:pi web apiscope:ltversion:2017 (1.9.0)

Trust: 0.8

vendor:osisoftmodel:pi web apiscope:eqversion:20171.9.0

Trust: 0.6

vendor:osisoftmodel:pi web api r2scope:eqversion:20160

Trust: 0.3

vendor:osisoftmodel:pi web apiscope:eqversion:20161.7.0.176

Trust: 0.3

vendor:osisoftmodel:pi web api r2scope:eqversion:20151.5.1

Trust: 0.3

vendor:osisoftmodel:pi web apiscope:neversion:20171.9.0

Trust: 0.3

vendor:pi web apimodel: - scope:eqversion:1.8

Trust: 0.2

sources: IVD: e1bb21c8-8650-4e7f-a184-0a29a764df9f // CNVD: CNVD-2017-16356 // BID: 99058 // JVNDB: JVNDB-2017-007335 // CNNVD: CNNVD-201704-1044 // NVD: CVE-2017-7926

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-7926
value: HIGH

Trust: 1.0

NVD: CVE-2017-7926
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-16356
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201704-1044
value: HIGH

Trust: 0.6

IVD: e1bb21c8-8650-4e7f-a184-0a29a764df9f
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-7926
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-16356
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e1bb21c8-8650-4e7f-a184-0a29a764df9f
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-7926
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: e1bb21c8-8650-4e7f-a184-0a29a764df9f // CNVD: CNVD-2017-16356 // JVNDB: JVNDB-2017-007335 // CNNVD: CNNVD-201704-1044 // NVD: CVE-2017-7926

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2017-007335 // NVD: CVE-2017-7926

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-1044

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201704-1044

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007335

PATCH
title:AL00316 - OSIsoft releases security update in PI Web API 2017 for CSRF vulnerabilityurl:https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00316
Trust: 0.8
title:Patch for OSIsoft PI Web API Cross-Site Request Forgery Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/98751
Trust: 0.6
title:OSIsoft PI Web API Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99753
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-16356 // 
            
            
            
            JVNDB: JVNDB-2017-007335 // 
            
            
            
            CNNVD: CNNVD-201704-1044

EXTERNAL IDS
db:NVDid:CVE-2017-7926
Trust: 3.5
db:ICS CERTid:ICSA-17-164-03
Trust: 2.7
db:BIDid:99058
Trust: 2.5
db:CNVDid:CNVD-2017-16356
Trust: 0.8
db:CNNVDid:CNNVD-201704-1044
Trust: 0.8
db:JVNDBid:JVNDB-2017-007335
Trust: 0.8
db:IVDid:E1BB21C8-8650-4E7F-A184-0A29A764DF9F
Trust: 0.2
sources:
            
            
            IVD: e1bb21c8-8650-4e7f-a184-0a29a764df9f // 
            
            
            
            CNVD: CNVD-2017-16356 // 
            
            
            
            BID: 99058 // 
            
            
            
            JVNDB: JVNDB-2017-007335 // 
            
            
            
            CNNVD: CNNVD-201704-1044 // 
            
            
            
            NVD: CVE-2017-7926

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-164-03
Trust: 2.7
url:http://www.securityfocus.com/bid/99058
Trust: 2.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7926
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-7926
Trust: 0.8
url:https://techsupport.osisoft.com
Trust: 0.3
url:https://techsupport.osisoft.com/troubleshooting/alerts/al00316
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-16356 // 
            
            
            
            BID: 99058 // 
            
            
            
            JVNDB: JVNDB-2017-007335 // 
            
            
            
            CNNVD: CNNVD-201704-1044 // 
            
            
            
            NVD: CVE-2017-7926

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 99058

SOURCES
db:IVDid:e1bb21c8-8650-4e7f-a184-0a29a764df9f
db:CNVDid:CNVD-2017-16356
db:BIDid:99058
db:JVNDBid:JVNDB-2017-007335
db:CNNVDid:CNNVD-201704-1044
db:NVDid:CVE-2017-7926

LAST UPDATE DATE
2024-11-23T22:12:52.804000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-16356date:2017-07-25T00:00:00
db:BIDid:99058date:2017-06-13T00:00:00
db:JVNDBid:JVNDB-2017-007335date:2017-09-19T00:00:00
db:CNNVDid:CNNVD-201704-1044date:2019-10-17T00:00:00
db:NVDid:CVE-2017-7926date:2024-11-21T03:32:58.843

SOURCES RELEASE DATE
db:IVDid:e1bb21c8-8650-4e7f-a184-0a29a764df9fdate:2017-07-25T00:00:00
db:CNVDid:CNVD-2017-16356date:2017-07-25T00:00:00
db:BIDid:99058date:2017-06-13T00:00:00
db:JVNDBid:JVNDB-2017-007335date:2017-09-19T00:00:00
db:CNNVDid:CNNVD-201704-1044date:2017-04-21T00:00:00
db:NVDid:CVE-2017-7926date:2017-08-25T19:29:00.300