Sign-up

ID

VAR-201805-0354


CVE

CVE-2017-9641


TITLE

OSIsoft PI Coresight Cross-Site Request Forgery Vulnerability

Trust: 1.4

sources: IVD: 17776aa1-0392-4099-bd01-a030c287a2fd // CNVD: CNVD-2017-22990 // CNNVD: CNNVD-201706-862

DESCRIPTION

PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability. Other attacks are also possible. OSIsoft PI Coresight 2016 R2 and earlier are vulnerable

Trust: 2.61

sources: NVD: CVE-2017-9641 // JVNDB: JVNDB-2017-013472 // CNVD: CNVD-2017-22990 // BID: 99540 // IVD: 17776aa1-0392-4099-bd01-a030c287a2fd

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 17776aa1-0392-4099-bd01-a030c287a2fd // CNVD: CNVD-2017-22990

AFFECTED PRODUCTS

vendor:osisoftmodel:pi coresightscope:lteversion:2016-r2

Trust: 1.0

vendor:osisoftmodel:pi coresightscope:eqversion:2016 r2

Trust: 0.8

vendor:osisoftmodel:pi coresight r2scope:lteversion:<=2016

Trust: 0.6

vendor:osisoftmodel:pi coresightscope:eqversion:2016-r2

Trust: 0.6

vendor:osisoftmodel:pi coresightscope:eqversion:20160

Trust: 0.3

vendor:osisoftmodel:pi coresight r2scope:eqversion:2016

Trust: 0.3

vendor:osisoftmodel:pi coresightscope:neversion:2017

Trust: 0.3

vendor:pi coresightmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 17776aa1-0392-4099-bd01-a030c287a2fd // CNVD: CNVD-2017-22990 // BID: 99540 // JVNDB: JVNDB-2017-013472 // CNNVD: CNNVD-201706-862 // NVD: CVE-2017-9641

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9641
value: HIGH

Trust: 1.0

NVD: CVE-2017-9641
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-22990
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201706-862
value: HIGH

Trust: 0.6

IVD: 17776aa1-0392-4099-bd01-a030c287a2fd
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-9641
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-22990
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 17776aa1-0392-4099-bd01-a030c287a2fd
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9641
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: 17776aa1-0392-4099-bd01-a030c287a2fd // CNVD: CNVD-2017-22990 // JVNDB: JVNDB-2017-013472 // CNNVD: CNNVD-201706-862 // NVD: CVE-2017-9641

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2017-013472 // NVD: CVE-2017-9641

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-862

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201706-862

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-013472

PATCH
title:AL00320url:https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00320
Trust: 0.8
title:Patch for OSIsoft PI Coresight Cross-Site Request Forgery Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/100862
Trust: 0.6
title:OSIsoft PI Coresight Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99871
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-22990 // 
            
            
            
            JVNDB: JVNDB-2017-013472 // 
            
            
            
            CNNVD: CNNVD-201706-862

EXTERNAL IDS
db:NVDid:CVE-2017-9641
Trust: 3.5
db:ICS CERTid:ICSA-17-192-04
Trust: 3.3
db:BIDid:99540
Trust: 2.5
db:CNVDid:CNVD-2017-22990
Trust: 0.8
db:CNNVDid:CNNVD-201706-862
Trust: 0.8
db:JVNDBid:JVNDB-2017-013472
Trust: 0.8
db:IVDid:17776AA1-0392-4099-BD01-A030C287A2FD
Trust: 0.2
sources:
            
            
            IVD: 17776aa1-0392-4099-bd01-a030c287a2fd // 
            
            
            
            CNVD: CNVD-2017-22990 // 
            
            
            
            BID: 99540 // 
            
            
            
            JVNDB: JVNDB-2017-013472 // 
            
            
            
            CNNVD: CNNVD-201706-862 // 
            
            
            
            NVD: CVE-2017-9641

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-192-04
Trust: 3.3
url:http://www.securityfocus.com/bid/99540
Trust: 2.2
url:https://techsupport.osisoft.com/troubleshooting/alerts/al00320
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9641
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9641
Trust: 0.8
url:https://techsupport.osisoft.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-22990 // 
            
            
            
            BID: 99540 // 
            
            
            
            JVNDB: JVNDB-2017-013472 // 
            
            
            
            CNNVD: CNNVD-201706-862 // 
            
            
            
            NVD: CVE-2017-9641

CREDITS
OSIsoft
Trust: 0.3
sources:
            
            
            BID: 99540

SOURCES
db:IVDid:17776aa1-0392-4099-bd01-a030c287a2fd
db:CNVDid:CNVD-2017-22990
db:BIDid:99540
db:JVNDBid:JVNDB-2017-013472
db:CNNVDid:CNNVD-201706-862
db:NVDid:CVE-2017-9641

LAST UPDATE DATE
2024-11-23T22:52:05.545000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-22990date:2017-08-25T00:00:00
db:BIDid:99540date:2017-07-11T00:00:00
db:JVNDBid:JVNDB-2017-013472date:2018-07-13T00:00:00
db:CNNVDid:CNNVD-201706-862date:2019-10-17T00:00:00
db:NVDid:CVE-2017-9641date:2024-11-21T03:36:34.397

SOURCES RELEASE DATE
db:IVDid:17776aa1-0392-4099-bd01-a030c287a2fddate:2017-08-25T00:00:00
db:CNVDid:CNVD-2017-22990date:2017-08-25T00:00:00
db:BIDid:99540date:2017-07-11T00:00:00
db:JVNDBid:JVNDB-2017-013472date:2018-07-13T00:00:00
db:CNNVDid:CNNVD-201706-862date:2017-06-21T00:00:00
db:NVDid:CVE-2017-9641date:2018-05-25T15:29:00.210