ID

VAR-201904-0334


CVE

CVE-2019-3941


TITLE

Advantech WebAccess Access Control Error Vulnerability

Trust: 1.4

sources: IVD: 977c7fa4-f2fa-4903-84f3-e97660225d1f // CNVD: CNVD-2019-32475 // CNNVD: CNNVD-201904-479

DESCRIPTION

Advantech WebAccess 8.3.4 allows unauthenticated, remote attackers to delete arbitrary files via IOCTL 10005 RPC. Advantech WebAccess Contains an access control vulnerability.Information may be tampered with. Advantech WebAccess is a browser-based HMI/SCADA software from Advantech, Taiwan. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. Advantech WebAccess is prone to the following security vulnerabilities: 1. An arbitrary file-download vulnerability 2. An arbitrary file-upload vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, modify and delete files and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.3.4 is vulnerable; other versions may also be affected. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

Trust: 2.7

sources: NVD: CVE-2019-3941 // JVNDB: JVNDB-2019-003250 // CNVD: CNVD-2019-32475 // BID: 107847 // IVD: 977c7fa4-f2fa-4903-84f3-e97660225d1f // VULHUB: VHN-155376

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 977c7fa4-f2fa-4903-84f3-e97660225d1f // CNVD: CNVD-2019-32475

AFFECTED PRODUCTS

vendor:advantechmodel:webaccessscope:eqversion:8.3.4

Trust: 2.4

vendor:advantechmodel:webaccess/scadascope:eqversion:8.3.4

Trust: 0.3

vendor:advantechmodel:webaccess/scadascope:neversion:8.3.5

Trust: 0.3

vendor:webaccessmodel: - scope:eqversion:8.3.4

Trust: 0.2

sources: IVD: 977c7fa4-f2fa-4903-84f3-e97660225d1f // CNVD: CNVD-2019-32475 // BID: 107847 // JVNDB: JVNDB-2019-003250 // NVD: CVE-2019-3941

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-3941
value: HIGH

Trust: 1.0

NVD: CVE-2019-3941
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-32475
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201904-479
value: HIGH

Trust: 0.6

IVD: 977c7fa4-f2fa-4903-84f3-e97660225d1f
value: HIGH

Trust: 0.2

VULHUB: VHN-155376
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-3941
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-32475
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 977c7fa4-f2fa-4903-84f3-e97660225d1f
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-155376
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-3941
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: IVD: 977c7fa4-f2fa-4903-84f3-e97660225d1f // CNVD: CNVD-2019-32475 // VULHUB: VHN-155376 // JVNDB: JVNDB-2019-003250 // CNNVD: CNNVD-201904-479 // NVD: CVE-2019-3941

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-155376 // JVNDB: JVNDB-2019-003250 // NVD: CVE-2019-3941

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-479

TYPE

Access control error

Trust: 0.8

sources: IVD: 977c7fa4-f2fa-4903-84f3-e97660225d1f // CNNVD: CNNVD-201904-479

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003250

PATCH

title:Advantech WebAccessurl:https://www.advantech.co.jp/industrial-automation/webaccess

Trust: 0.8

title:Advantech WebAccess Access Control Error Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/181483

Trust: 0.6

title:Advantech WebAccess Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91306

Trust: 0.6

sources: CNVD: CNVD-2019-32475 // JVNDB: JVNDB-2019-003250 // CNNVD: CNNVD-201904-479

EXTERNAL IDS

db:NVDid:CVE-2019-3941

Trust: 3.6

db:TENABLEid:TRA-2019-15

Trust: 3.4

db:BIDid:107847

Trust: 2.0

db:CNNVDid:CNNVD-201904-479

Trust: 0.9

db:CNVDid:CNVD-2019-32475

Trust: 0.8

db:JVNDBid:JVNDB-2019-003250

Trust: 0.8

db:IVDid:977C7FA4-F2FA-4903-84F3-E97660225D1F

Trust: 0.2

db:VULHUBid:VHN-155376

Trust: 0.1

sources: IVD: 977c7fa4-f2fa-4903-84f3-e97660225d1f // CNVD: CNVD-2019-32475 // VULHUB: VHN-155376 // BID: 107847 // JVNDB: JVNDB-2019-003250 // CNNVD: CNNVD-201904-479 // NVD: CVE-2019-3941

REFERENCES

url:https://www.tenable.com/security/research/tra-2019-15

Trust: 3.4

url:http://www.securityfocus.com/bid/107847

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-3941

Trust: 1.4

url:http://webaccess.advantech.com

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3941

Trust: 0.8

sources: CNVD: CNVD-2019-32475 // VULHUB: VHN-155376 // BID: 107847 // JVNDB: JVNDB-2019-003250 // CNNVD: CNNVD-201904-479 // NVD: CVE-2019-3941

CREDITS

Tenable

Trust: 0.9

sources: BID: 107847 // CNNVD: CNNVD-201904-479

SOURCES

db:IVDid:977c7fa4-f2fa-4903-84f3-e97660225d1f
db:CNVDid:CNVD-2019-32475
db:VULHUBid:VHN-155376
db:BIDid:107847
db:JVNDBid:JVNDB-2019-003250
db:CNNVDid:CNNVD-201904-479
db:NVDid:CVE-2019-3941

LAST UPDATE DATE

2024-11-23T22:12:06.897000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-32475date:2019-09-21T00:00:00
db:VULHUBid:VHN-155376date:2020-08-24T00:00:00
db:BIDid:107847date:2019-04-03T00:00:00
db:JVNDBid:JVNDB-2019-003250date:2019-05-13T00:00:00
db:CNNVDid:CNNVD-201904-479date:2020-08-25T00:00:00
db:NVDid:CVE-2019-3941date:2024-11-21T04:42:54.673

SOURCES RELEASE DATE

db:IVDid:977c7fa4-f2fa-4903-84f3-e97660225d1fdate:2019-09-21T00:00:00
db:CNVDid:CNVD-2019-32475date:2019-09-21T00:00:00
db:VULHUBid:VHN-155376date:2019-04-09T00:00:00
db:BIDid:107847date:2019-04-03T00:00:00
db:JVNDBid:JVNDB-2019-003250date:2019-05-13T00:00:00
db:CNNVDid:CNNVD-201904-479date:2019-04-09T00:00:00
db:NVDid:CVE-2019-3941date:2019-04-09T16:29:02.147