ID

VAR-201912-1286


CVE

CVE-2019-18320


TITLE

SPPA-T3000 Application Server Vulnerable to unlimited upload of dangerous types of files

Trust: 0.8

sources: JVNDB: JVNDB-2019-013102

DESCRIPTION

A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). An attacker with network access to the Application Server could be able to upload arbitrary files without authentication. Please note that an attacker needs to have network access to the Application Server in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. SPPA-T3000 is a distributed control system mainly used in thermal power plants and large renewable energy power plants. There is a security vulnerability in the Siemens SPPA-T3000

Trust: 2.34

sources: NVD: CVE-2019-18320 // JVNDB: JVNDB-2019-013102 // CNVD: CNVD-2019-44767 // IVD: 7913a294-b41f-4f21-81c7-117d53d033c6

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 7913a294-b41f-4f21-81c7-117d53d033c6 // CNVD: CNVD-2019-44767

AFFECTED PRODUCTS

vendor:siemensmodel:sppa-t3000 application serverscope: - version: -

Trust: 1.4

vendor:siemensmodel:sppa-t3000 application serverscope:ltversion:r8.2

Trust: 1.0

vendor:siemensmodel:sppa-t3000 application serverscope:eqversion:r8.2

Trust: 1.0

vendor:sppa t3000 application servermodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 7913a294-b41f-4f21-81c7-117d53d033c6 // CNVD: CNVD-2019-44767 // JVNDB: JVNDB-2019-013102 // NVD: CVE-2019-18320

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-18320
value: HIGH

Trust: 1.0

NVD: CVE-2019-18320
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-44767
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201912-636
value: HIGH

Trust: 0.6

IVD: 7913a294-b41f-4f21-81c7-117d53d033c6
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2019-18320
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-44767
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7913a294-b41f-4f21-81c7-117d53d033c6
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-18320
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-18320
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 7913a294-b41f-4f21-81c7-117d53d033c6 // CNVD: CNVD-2019-44767 // JVNDB: JVNDB-2019-013102 // CNNVD: CNNVD-201912-636 // NVD: CVE-2019-18320

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.8

problemtype:CWE-287

Trust: 1.0

sources: JVNDB: JVNDB-2019-013102 // NVD: CVE-2019-18320

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-636

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201912-636

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013102

PATCH

title:SSA-451445url:https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf

Trust: 0.8

title:Patch for Siemens SPPA-T3000 Improper Authentication Vulnerability (CNVD-2019-44767)url:https://www.cnvd.org.cn/patchInfo/show/193761

Trust: 0.6

sources: CNVD: CNVD-2019-44767 // JVNDB: JVNDB-2019-013102

EXTERNAL IDS

db:NVDid:CVE-2019-18320

Trust: 3.2

db:SIEMENSid:SSA-451445

Trust: 2.2

db:ICS CERTid:ICSA-19-351-02

Trust: 1.4

db:CNVDid:CNVD-2019-44767

Trust: 0.8

db:CNNVDid:CNNVD-201912-636

Trust: 0.8

db:JVNDBid:JVNDB-2019-013102

Trust: 0.8

db:AUSCERTid:ESB-2019.4705

Trust: 0.6

db:IVDid:7913A294-B41F-4F21-81C7-117D53D033C6

Trust: 0.2

sources: IVD: 7913a294-b41f-4f21-81c7-117d53d033c6 // CNVD: CNVD-2019-44767 // JVNDB: JVNDB-2019-013102 // CNNVD: CNNVD-201912-636 // NVD: CVE-2019-18320

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf

Trust: 2.2

url:https://www.us-cert.gov/ics/advisories/icsa-19-351-02

Trust: 1.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-18320

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18320

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2019.4705/

Trust: 0.6

sources: CNVD: CNVD-2019-44767 // JVNDB: JVNDB-2019-013102 // CNNVD: CNNVD-201912-636 // NVD: CVE-2019-18320

SOURCES

db:IVDid:7913a294-b41f-4f21-81c7-117d53d033c6
db:CNVDid:CNVD-2019-44767
db:JVNDBid:JVNDB-2019-013102
db:CNNVDid:CNNVD-201912-636
db:NVDid:CVE-2019-18320

LAST UPDATE DATE

2024-08-14T13:25:15.643000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-44767date:2019-12-11T00:00:00
db:JVNDBid:JVNDB-2019-013102date:2019-12-26T00:00:00
db:CNNVDid:CNNVD-201912-636date:2022-02-25T00:00:00
db:NVDid:CVE-2019-18320date:2022-03-04T20:49:41.263

SOURCES RELEASE DATE

db:IVDid:7913a294-b41f-4f21-81c7-117d53d033c6date:2019-12-11T00:00:00
db:CNVDid:CNVD-2019-44767date:2019-12-11T00:00:00
db:JVNDBid:JVNDB-2019-013102date:2019-12-19T00:00:00
db:CNNVDid:CNNVD-201912-636date:2019-12-12T00:00:00
db:NVDid:CVE-2019-18320date:2019-12-12T19:15:18.607