Sign-up

ID

VAR-201912-1286


CVE

CVE-2019-18320


TITLE

SPPA-T3000 Application Server Vulnerable to unlimited upload of dangerous types of files

Trust: 0.8

sources: JVNDB: JVNDB-2019-013102

DESCRIPTION

A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). An attacker with network access to the Application Server could be able to upload arbitrary files without authentication. Please note that an attacker needs to have network access to the Application Server in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. SPPA-T3000 is a distributed control system mainly used in thermal power plants and large renewable energy power plants. There is a security vulnerability in the Siemens SPPA-T3000

Trust: 2.34

sources: NVD: CVE-2019-18320 // JVNDB: JVNDB-2019-013102 // CNVD: CNVD-2019-44767 // IVD: 7913a294-b41f-4f21-81c7-117d53d033c6

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 7913a294-b41f-4f21-81c7-117d53d033c6 // CNVD: CNVD-2019-44767

AFFECTED PRODUCTS

vendor:siemensmodel:sppa-t3000 application serverscope: - version: -

Trust: 1.4

vendor:siemensmodel:sppa-t3000 application serverscope:ltversion:r8.2

Trust: 1.0

vendor:siemensmodel:sppa-t3000 application serverscope:eqversion:r8.2

Trust: 1.0

vendor:sppa t3000 application servermodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 7913a294-b41f-4f21-81c7-117d53d033c6 // CNVD: CNVD-2019-44767 // JVNDB: JVNDB-2019-013102 // NVD: CVE-2019-18320

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-18320
value: HIGH

Trust: 1.0

NVD: CVE-2019-18320
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-44767
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201912-636
value: HIGH

Trust: 0.6

IVD: 7913a294-b41f-4f21-81c7-117d53d033c6
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2019-18320
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-44767
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7913a294-b41f-4f21-81c7-117d53d033c6
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-18320
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-18320
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 7913a294-b41f-4f21-81c7-117d53d033c6 // CNVD: CNVD-2019-44767 // JVNDB: JVNDB-2019-013102 // CNNVD: CNNVD-201912-636 // NVD: CVE-2019-18320

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.8

problemtype:CWE-287

Trust: 1.0

sources: JVNDB: JVNDB-2019-013102 // NVD: CVE-2019-18320

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-636

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201912-636

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-013102

PATCH
title:SSA-451445url:https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf
Trust: 0.8
title:Patch for Siemens SPPA-T3000 Improper Authentication Vulnerability (CNVD-2019-44767)url:https://www.cnvd.org.cn/patchInfo/show/193761
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-44767 // 
            
            
            
            JVNDB: JVNDB-2019-013102

EXTERNAL IDS
db:NVDid:CVE-2019-18320
Trust: 3.2
db:SIEMENSid:SSA-451445
Trust: 2.2
db:ICS CERTid:ICSA-19-351-02
Trust: 1.4
db:CNVDid:CNVD-2019-44767
Trust: 0.8
db:CNNVDid:CNNVD-201912-636
Trust: 0.8
db:JVNDBid:JVNDB-2019-013102
Trust: 0.8
db:AUSCERTid:ESB-2019.4705
Trust: 0.6
db:IVDid:7913A294-B41F-4F21-81C7-117D53D033C6
Trust: 0.2
sources:
            
            
            IVD: 7913a294-b41f-4f21-81c7-117d53d033c6 // 
            
            
            
            CNVD: CNVD-2019-44767 // 
            
            
            
            JVNDB: JVNDB-2019-013102 // 
            
            
            
            CNNVD: CNNVD-201912-636 // 
            
            
            
            NVD: CVE-2019-18320

REFERENCES
url:https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf
Trust: 2.2
url:https://www.us-cert.gov/ics/advisories/icsa-19-351-02
Trust: 1.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-18320
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18320
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2019.4705/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-44767 // 
            
            
            
            JVNDB: JVNDB-2019-013102 // 
            
            
            
            CNNVD: CNNVD-201912-636 // 
            
            
            
            NVD: CVE-2019-18320

SOURCES
db:IVDid:7913a294-b41f-4f21-81c7-117d53d033c6
db:CNVDid:CNVD-2019-44767
db:JVNDBid:JVNDB-2019-013102
db:CNNVDid:CNNVD-201912-636
db:NVDid:CVE-2019-18320

LAST UPDATE DATE
2024-08-14T13:25:15.643000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-44767date:2019-12-11T00:00:00
db:JVNDBid:JVNDB-2019-013102date:2019-12-26T00:00:00
db:CNNVDid:CNNVD-201912-636date:2022-02-25T00:00:00
db:NVDid:CVE-2019-18320date:2022-03-04T20:49:41.263

SOURCES RELEASE DATE
db:IVDid:7913a294-b41f-4f21-81c7-117d53d033c6date:2019-12-11T00:00:00
db:CNVDid:CNVD-2019-44767date:2019-12-11T00:00:00
db:JVNDBid:JVNDB-2019-013102date:2019-12-19T00:00:00
db:CNNVDid:CNNVD-201912-636date:2019-12-12T00:00:00
db:NVDid:CVE-2019-18320date:2019-12-12T19:15:18.607