Details of VAR-201909-0996

ID

VAR-201909-0996

CVE

CVE-2019-13532

TITLE

3S-Smart Software Solutions CODESYS V3 web server Path traversal vulnerability

Trust: 1.4

sources: IVD: f4634c88-ffbb-41d2-9de5-4c49df63339a // CNVD: CNVD-2019-32463 // CNNVD: CNNVD-201909-657

DESCRIPTION

CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working directory of the controller. CODESYS V3 web The server contains a path traversal vulnerability.Information may be obtained

Trust: 2.34

sources: NVD: CVE-2019-13532 // JVNDB: JVNDB-2019-009414 // CNVD: CNVD-2019-32463 // IVD: f4634c88-ffbb-41d2-9de5-4c49df63339a

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: f4634c88-ffbb-41d2-9de5-4c49df63339a // CNVD: CNVD-2019-32463

AFFECTED PRODUCTS

vendor:	codesys	model:	control for empc-a\/imx6	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	codesys	model:	control rte	scope:	lt	version:	3.5.12.80	Trust: 1.0
vendor:	codesys	model:	hmi	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	codesys	model:	control for raspberry pi	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	codesys	model:	control rte	scope:	gte	version:	3.5.13.0	Trust: 1.0
vendor:	codesys	model:	control for pfc100	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	codesys	model:	control win	scope:	lte	version:	3.5.12.80	Trust: 1.0
vendor:	codesys	model:	control win	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	codesys	model:	control runtime system toolkit	scope:	gte	version:	3.0	Trust: 1.0
vendor:	codesys	model:	embedded target visu toolkit	scope:	lt	version:	3.5.12.80	Trust: 1.0
vendor:	codesys	model:	control win	scope:	gte	version:	3.5.9.80	Trust: 1.0
vendor:	codesys	model:	hmi	scope:	gte	version:	3.5.10.0	Trust: 1.0
vendor:	codesys	model:	hmi	scope:	lt	version:	3.5.12.80	Trust: 1.0
vendor:	codesys	model:	remote target visu toolkit	scope:	lt	version:	3.5.12.80	Trust: 1.0
vendor:	codesys	model:	embedded target visu toolkit	scope:	gte	version:	3.0	Trust: 1.0
vendor:	codesys	model:	hmi	scope:	gte	version:	3.5.13.0	Trust: 1.0
vendor:	codesys	model:	control for iot2000	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	codesys	model:	control for beaglebone	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	codesys	model:	control for pfc200	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	codesys	model:	control rte	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	codesys	model:	remote target visu toolkit	scope:	gte	version:	3.0	Trust: 1.0
vendor:	codesys	model:	control runtime system toolkit	scope:	lt	version:	3.5.12.80	Trust: 1.0
vendor:	codesys	model:	control rte	scope:	gte	version:	3.5.8.60	Trust: 1.0
vendor:	codesys	model:	control win	scope:	gte	version:	3.5.13.0	Trust: 1.0
vendor:	codesys	model:	control for linux	scope:	lt	version:	3.5.14.10	Trust: 1.0
vendor:	3s smart	model:	codesys control for beaglebone	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	codesys control for empc-a/imx6	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	codesys control for iot2000	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	codesys control for linux	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	codesys control for pfc100	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	codesys control for pfc200	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	codesys control for raspberry pi	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	codesys control rte v3	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	codesys control runtime system toolkit	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	codesys control win sl	scope:	-	version:	-	Trust: 0.8
vendor:	3s smart	model:	software solutions codesys web server	scope:	eq	version:	v3<3.5.14.10	Trust: 0.6
vendor:	control rte	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	control win	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	hmi	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	control for beaglebone	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	control for empc a imx6	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	control for iot2000	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	control for linux	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	control for pfc100	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	control for pfc200	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	control for raspberry pi	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	control runtime system toolkit	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	embedded target visu toolkit	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	remote target visu toolkit	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: f4634c88-ffbb-41d2-9de5-4c49df63339a // CNVD: CNVD-2019-32463 // JVNDB: JVNDB-2019-009414 // NVD: CVE-2019-13532

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-13532
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-13532
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-32463
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201909-657
value:	HIGH
Trust: 0.6
IVD:	f4634c88-ffbb-41d2-9de5-4c49df63339a
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2019-13532
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-32463
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	f4634c88-ffbb-41d2-9de5-4c49df63339a
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-13532
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-13532
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: f4634c88-ffbb-41d2-9de5-4c49df63339a // CNVD: CNVD-2019-32463 // JVNDB: JVNDB-2019-009414 // CNNVD: CNNVD-201909-657 // NVD: CVE-2019-13532

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2019-009414 // NVD: CVE-2019-13532

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-657

TYPE

Path traversal

Trust: 0.8

sources: IVD: f4634c88-ffbb-41d2-9de5-4c49df63339a // CNNVD: CNNVD-201909-657

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-009414

PATCH

title:	Top Page	url:	https://www.codesys.com/	Trust: 0.8
title:	3S-Smart Software Solutions CODESYS V3 web server path traversal vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/181469	Trust: 0.6
title:	CODESYS V3 web server Repair measures for path traversal vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98231	Trust: 0.6

sources: CNVD: CNVD-2019-32463 // JVNDB: JVNDB-2019-009414 // CNNVD: CNNVD-201909-657

EXTERNAL IDS

db:	NVD	id:	CVE-2019-13532	Trust: 3.2
db:	ICS CERT	id:	ICSA-19-255-01	Trust: 2.4
db:	AUSCERT	id:	ESB-2019.3487	Trust: 1.2
db:	CNVD	id:	CNVD-2019-32463	Trust: 0.8
db:	CNNVD	id:	CNNVD-201909-657	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-009414	Trust: 0.8
db:	ICS CERT	id:	ICSA-19-255-04	Trust: 0.6
db:	ICS CERT	id:	ICSA-19-255-03	Trust: 0.6
db:	ICS CERT	id:	ICSA-19-255-05	Trust: 0.6
db:	ICS CERT	id:	ICSA-19-255-02	Trust: 0.6
db:	IVD	id:	F4634C88-FFBB-41D2-9DE5-4C49DF63339A	Trust: 0.2

sources: IVD: f4634c88-ffbb-41d2-9de5-4c49df63339a // CNVD: CNVD-2019-32463 // JVNDB: JVNDB-2019-009414 // CNNVD: CNNVD-201909-657 // NVD: CVE-2019-13532

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-19-255-01	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13532	Trust: 2.0
url:	https://www.auscert.org.au/bulletins/esb-2019.3487/	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13532	Trust: 0.8
url:	https://www.us-cert.gov/ics/advisories/icsa-19-255-05	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-19-255-04	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-19-255-03	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-19-255-02	Trust: 0.6

sources: CNVD: CNVD-2019-32463 // JVNDB: JVNDB-2019-009414 // CNNVD: CNNVD-201909-657 // NVD: CVE-2019-13532

SOURCES

db:	IVD	id:	f4634c88-ffbb-41d2-9de5-4c49df63339a
db:	CNVD	id:	CNVD-2019-32463
db:	JVNDB	id:	JVNDB-2019-009414
db:	CNNVD	id:	CNNVD-201909-657
db:	NVD	id:	CVE-2019-13532

LAST UPDATE DATE

2024-11-23T22:05:59.550000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-32463	date:	2019-09-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-009414	date:	2019-09-20T00:00:00
db:	CNNVD	id:	CNNVD-201909-657	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2019-13532	date:	2024-11-21T04:25:05.470

SOURCES RELEASE DATE

db:	IVD	id:	f4634c88-ffbb-41d2-9de5-4c49df63339a	date:	2019-09-21T00:00:00
db:	CNVD	id:	CNVD-2019-32463	date:	2019-09-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-009414	date:	2019-09-20T00:00:00
db:	CNNVD	id:	CNNVD-201909-657	date:	2019-09-13T00:00:00
db:	NVD	id:	CVE-2019-13532	date:	2019-09-13T17:15:11.617