Details of VAR-202002-1475

ID

VAR-202002-1475

CVE

CVE-2019-13941

TITLE

OZW672 and OZW772 Vulnerability in externally accessible files or directories in

Trust: 0.8

sources: JVNDB: JVNDB-2019-014548

DESCRIPTION

A vulnerability has been identified in OZW672 (All versions < V10.00), OZW772 (All versions < V10.00). Vulnerable versions of OZW Web Server use predictable path names for project files that legitimately authenticated users have created by using the application's export function. By accessing a specific uniform resource locator on the web server, a remote attacker could be able to download a project file without prior authentication. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected system. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises the confidentiality of the targeted system. OZW672 and OZW772 Contains vulnerabilities in externally accessible files or directories.Information may be obtained. Siemens OZW672 and OZW772 are the building controller products of Germany's Siemens

Trust: 2.34

sources: NVD: CVE-2019-13941 // JVNDB: JVNDB-2019-014548 // CNVD: CNVD-2020-15262 // IVD: 9d70a0cb-14c2-49ad-8202-3ae7b396c3ad

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 9d70a0cb-14c2-49ad-8202-3ae7b396c3ad // CNVD: CNVD-2020-15262

AFFECTED PRODUCTS

vendor:	siemens	model:	ozw772	scope:	lt	version:	10.00	Trust: 1.0
vendor:	siemens	model:	ozw672	scope:	lt	version:	10.00	Trust: 1.0
vendor:	siemens	model:	ozw672	scope:	eq	version:	10.00	Trust: 0.8
vendor:	siemens	model:	ozw772	scope:	eq	version:	10.00	Trust: 0.8
vendor:	siemens	model:	ozw672	scope:	lt	version:	v10.00	Trust: 0.6
vendor:	siemens	model:	ozw772	scope:	lt	version:	v10.00	Trust: 0.6
vendor:	ozw672	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	ozw772	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 9d70a0cb-14c2-49ad-8202-3ae7b396c3ad // CNVD: CNVD-2020-15262 // JVNDB: JVNDB-2019-014548 // NVD: CVE-2019-13941

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-13941
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2019-014548
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-15262
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202002-454
value:	HIGH
Trust: 0.6
IVD:	9d70a0cb-14c2-49ad-8202-3ae7b396c3ad
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2019-13941
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-014548
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-15262
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	9d70a0cb-14c2-49ad-8202-3ae7b396c3ad
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2019-13941
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-014548
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 9d70a0cb-14c2-49ad-8202-3ae7b396c3ad // CNVD: CNVD-2020-15262 // JVNDB: JVNDB-2019-014548 // CNNVD: CNNVD-202002-454 // NVD: CVE-2019-13941

PROBLEMTYPE DATA

problemtype:

CWE-552

Trust: 1.8

sources: JVNDB: JVNDB-2019-014548 // NVD: CVE-2019-13941

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-454

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202002-454

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014548

PATCH

title:	SSA-986695	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-986695.pdf	Trust: 0.8
title:	Patch for Siemens OZW672 and OZW772 Information Disclosure Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/206793	Trust: 0.6
title:	Siemens OZW672 and OZW772 Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110189	Trust: 0.6

sources: CNVD: CNVD-2020-15262 // JVNDB: JVNDB-2019-014548 // CNNVD: CNNVD-202002-454

EXTERNAL IDS

db:	NVD	id:	CVE-2019-13941	Trust: 3.2
db:	ICS CERT	id:	ICSA-20-042-09	Trust: 3.0
db:	SIEMENS	id:	SSA-986695	Trust: 1.6
db:	CNVD	id:	CNVD-2020-15262	Trust: 0.8
db:	CNNVD	id:	CNNVD-202002-454	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-014548	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.0486	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.0486.3	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.0486.2	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-042-06	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-042-07	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-042-10	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-042-02	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-042-05	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-042-08	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-042-04	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-042-03	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-042-01	Trust: 0.6
db:	IVD	id:	9D70A0CB-14C2-49AD-8202-3AE7B396C3AD	Trust: 0.2

sources: IVD: 9d70a0cb-14c2-49ad-8202-3ae7b396c3ad // CNVD: CNVD-2020-15262 // JVNDB: JVNDB-2019-014548 // CNNVD: CNNVD-202002-454 // NVD: CVE-2019-13941

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-09	Trust: 3.0
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-986695.pdf	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13941	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13941	Trust: 0.8
url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-10	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-08	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-07	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-06	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-05	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-04	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-03	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-02	Trust: 0.6
url:	https://www.us-cert.gov/ics/advisories/icsa-20-042-01	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.0486/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.0486.2/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.0486.3/	Trust: 0.6

sources: CNVD: CNVD-2020-15262 // JVNDB: JVNDB-2019-014548 // CNNVD: CNNVD-202002-454 // NVD: CVE-2019-13941

SOURCES

db:	IVD	id:	9d70a0cb-14c2-49ad-8202-3ae7b396c3ad
db:	CNVD	id:	CNVD-2020-15262
db:	JVNDB	id:	JVNDB-2019-014548
db:	CNNVD	id:	CNNVD-202002-454
db:	NVD	id:	CVE-2019-13941

LAST UPDATE DATE

2024-11-23T21:21:04.171000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-15262	date:	2020-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-014548	date:	2020-03-26T00:00:00
db:	CNNVD	id:	CNNVD-202002-454	date:	2021-01-05T00:00:00
db:	NVD	id:	CVE-2019-13941	date:	2024-11-21T04:25:44.447

SOURCES RELEASE DATE

db:	IVD	id:	9d70a0cb-14c2-49ad-8202-3ae7b396c3ad	date:	2020-02-11T00:00:00
db:	CNVD	id:	CNVD-2020-15262	date:	2020-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-014548	date:	2020-02-27T00:00:00
db:	CNNVD	id:	CNNVD-202002-454	date:	2020-02-11T00:00:00
db:	NVD	id:	CVE-2019-13941	date:	2020-02-11T16:15:14.897