Sign-up

ID

VAR-201803-2202


CVE

CVE-2018-7500


TITLE

OSIsoft PI Web API Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-003012

DESCRIPTION

A Permissions, Privileges, and Access Controls issue was discovered in OSIsoft PI Web API versions 2017 R2 and prior. Privileges may be escalated, giving attackers access to the PI System via the service account. OSIsoft PI Web API Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OSIsoft PI Web API is a product for accessing PI system data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or gain elevated privileges and perform unauthorized actions. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2018-7500 // JVNDB: JVNDB-2018-003012 // CNVD: CNVD-2018-05299 // BID: 103396 // IVD: e2e5e9a2-39ab-11e9-b8d3-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2e5e9a2-39ab-11e9-b8d3-000c29342cb1 // CNVD: CNVD-2018-05299

AFFECTED PRODUCTS

vendor:osisoftmodel:pi web apiscope:eqversion:2017

Trust: 1.6

vendor:osisoftmodel:pi visionscope:eqversion:2017

Trust: 1.6

vendor:osisoftmodel:pi web apiscope:lteversion:2017

Trust: 1.0

vendor:osisoftmodel:pi web apiscope:lteversion:2017 r2

Trust: 0.8

vendor:osisoftmodel:pi web api r2scope:lteversion:<=2017

Trust: 0.6

vendor:osisoftmodel:pi web api r2scope:eqversion:20170

Trust: 0.3

vendor:osisoftmodel:pi web api r2scope:eqversion:20160

Trust: 0.3

vendor:osisoftmodel:pi web api r2 sp1scope:neversion:20170

Trust: 0.3

vendor:osisoftmodel:pi vision r2 updatescope:neversion:20171

Trust: 0.3

vendor:osisoftmodel:pi af services r2 updatescope:neversion:201710

Trust: 0.3

vendor:pi web apimodel: - scope:eqversion:*

Trust: 0.2

vendor:pi web apimodel: - scope:eqversion:2017

Trust: 0.2

vendor:pi visionmodel: - scope:eqversion:2017

Trust: 0.2

sources: IVD: e2e5e9a2-39ab-11e9-b8d3-000c29342cb1 // CNVD: CNVD-2018-05299 // BID: 103396 // JVNDB: JVNDB-2018-003012 // CNNVD: CNNVD-201803-458 // NVD: CVE-2018-7500

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-7500
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-7500
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2018-05299
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201803-458
value: CRITICAL

Trust: 0.6

IVD: e2e5e9a2-39ab-11e9-b8d3-000c29342cb1
value: CRITICAL

Trust: 0.2

nvd@nist.gov: CVE-2018-7500
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-05299
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:L/AU:N/C:C/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2e5e9a2-39ab-11e9-b8d3-000c29342cb1
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:L/AU:N/C:C/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-7500
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: e2e5e9a2-39ab-11e9-b8d3-000c29342cb1 // CNVD: CNVD-2018-05299 // JVNDB: JVNDB-2018-003012 // CNNVD: CNNVD-201803-458 // NVD: CVE-2018-7500

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: JVNDB: JVNDB-2018-003012 // NVD: CVE-2018-7500

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-458

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201803-458

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003012

PATCH
title:Top Pageurl:https://www.osisoft.com/
Trust: 0.8
title:Patch for OSIsoft PI Web API Privilege Escalation Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/121497
Trust: 0.6
title:OSIsoft PI Web API Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79108
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-05299 // 
            
            
            
            JVNDB: JVNDB-2018-003012 // 
            
            
            
            CNNVD: CNNVD-201803-458

EXTERNAL IDS
db:NVDid:CVE-2018-7500
Trust: 3.5
db:ICS CERTid:ICSA-18-072-04
Trust: 3.3
db:BIDid:103396
Trust: 1.9
db:CNVDid:CNVD-2018-05299
Trust: 0.8
db:CNNVDid:CNNVD-201803-458
Trust: 0.8
db:JVNDBid:JVNDB-2018-003012
Trust: 0.8
db:IVDid:E2E5E9A2-39AB-11E9-B8D3-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2e5e9a2-39ab-11e9-b8d3-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-05299 // 
            
            
            
            BID: 103396 // 
            
            
            
            JVNDB: JVNDB-2018-003012 // 
            
            
            
            CNNVD: CNNVD-201803-458 // 
            
            
            
            NVD: CVE-2018-7500

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-072-04
Trust: 3.3
url:http://www.securityfocus.com/bid/103396
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7500
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-7500
Trust: 0.8
url:https://www.osisoft.com/default.aspx
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-05299 // 
            
            
            
            BID: 103396 // 
            
            
            
            JVNDB: JVNDB-2018-003012 // 
            
            
            
            CNNVD: CNNVD-201803-458 // 
            
            
            
            NVD: CVE-2018-7500

CREDITS
OSIsoft
Trust: 0.3
sources:
            
            
            BID: 103396

SOURCES
db:IVDid:e2e5e9a2-39ab-11e9-b8d3-000c29342cb1
db:CNVDid:CNVD-2018-05299
db:BIDid:103396
db:JVNDBid:JVNDB-2018-003012
db:CNNVDid:CNNVD-201803-458
db:NVDid:CVE-2018-7500

LAST UPDATE DATE
2024-11-23T23:05:09.097000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-05299date:2018-03-14T00:00:00
db:BIDid:103396date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2018-003012date:2018-05-09T00:00:00
db:CNNVDid:CNNVD-201803-458date:2019-10-17T00:00:00
db:NVDid:CVE-2018-7500date:2024-11-21T04:12:15.153

SOURCES RELEASE DATE
db:IVDid:e2e5e9a2-39ab-11e9-b8d3-000c29342cb1date:2018-03-14T00:00:00
db:CNVDid:CNVD-2018-05299date:2018-03-14T00:00:00
db:BIDid:103396date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2018-003012date:2018-05-09T00:00:00
db:CNNVDid:CNNVD-201803-458date:2018-03-14T00:00:00
db:NVDid:CVE-2018-7500date:2018-03-14T18:29:00.500