Details of VAR-202004-0688

ID

VAR-202004-0688

CVE

CVE-2019-3942

TITLE

Advantech WebAccess Vulnerability regarding inadequate protection of credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2019-015244

DESCRIPTION

Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password. Advantech WebAccess Exists in an inadequate protection of credentials.Information may be obtained. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture of Chinese company Advantech (Advantech). The software supports dynamic graphic display and real-time data control, and provides functions for remote control and management of automated equipment. The Advantech WebAccess 8.3.4 version has an access control error vulnerability that originated from the program's failure to properly restrict RPC calls

Trust: 2.79

sources: NVD: CVE-2019-3942 // JVNDB: JVNDB-2019-015244 // CNVD: CNVD-2020-22292 // IVD: 66fef8d1-f250-4901-9e4c-ac55484f56d3 // IVD: 39b72fc8-f6a4-4080-90fd-093c362fe043 // IVD: efd64e2f-8a74-497e-9b91-faf9825974a3 // VULHUB: VHN-155377

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.2

sources: IVD: 66fef8d1-f250-4901-9e4c-ac55484f56d3 // IVD: 39b72fc8-f6a4-4080-90fd-093c362fe043 // IVD: efd64e2f-8a74-497e-9b91-faf9825974a3 // CNVD: CNVD-2020-22292

AFFECTED PRODUCTS

vendor:	advantech	model:	webaccess	scope:	eq	version:	8.3.4	Trust: 1.8
vendor:	webaccess	model:	-	scope:	eq	version:	8.3.4	Trust: 0.6
vendor:	advantech	model:	webaccess	scope:	lt	version:	8.3.4	Trust: 0.6

sources: IVD: 66fef8d1-f250-4901-9e4c-ac55484f56d3 // IVD: 39b72fc8-f6a4-4080-90fd-093c362fe043 // IVD: efd64e2f-8a74-497e-9b91-faf9825974a3 // CNVD: CNVD-2020-22292 // JVNDB: JVNDB-2019-015244 // NVD: CVE-2019-3942

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-3942
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2019-015244
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-22292
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202004-020
value:	HIGH
Trust: 0.6
IVD:	66fef8d1-f250-4901-9e4c-ac55484f56d3
value:	HIGH
Trust: 0.2
IVD:	39b72fc8-f6a4-4080-90fd-093c362fe043
value:	HIGH
Trust: 0.2
IVD:	efd64e2f-8a74-497e-9b91-faf9825974a3
value:	HIGH
Trust: 0.2
VULHUB:	VHN-155377
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-3942
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-015244
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-22292
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	66fef8d1-f250-4901-9e4c-ac55484f56d3
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	39b72fc8-f6a4-4080-90fd-093c362fe043
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	efd64e2f-8a74-497e-9b91-faf9825974a3
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-155377
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-3942
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2019-015244
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 66fef8d1-f250-4901-9e4c-ac55484f56d3 // IVD: 39b72fc8-f6a4-4080-90fd-093c362fe043 // IVD: efd64e2f-8a74-497e-9b91-faf9825974a3 // CNVD: CNVD-2020-22292 // VULHUB: VHN-155377 // JVNDB: JVNDB-2019-015244 // CNNVD: CNNVD-202004-020 // NVD: CVE-2019-3942

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.9
problemtype:	CWE-284	Trust: 1.0

sources: VULHUB: VHN-155377 // JVNDB: JVNDB-2019-015244 // NVD: CVE-2019-3942

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-020

TYPE

Access control error

Trust: 1.2

sources: IVD: 66fef8d1-f250-4901-9e4c-ac55484f56d3 // IVD: 39b72fc8-f6a4-4080-90fd-093c362fe043 // IVD: efd64e2f-8a74-497e-9b91-faf9825974a3 // CNNVD: CNNVD-202004-020

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-015244

PATCH

title:	Advantech WebAccess	url:	https://www.advantech.co.jp/industrial-automation/webaccess	Trust: 0.8
title:	Patch for Advantech WebAccess access control error vulnerability (CNVD-2020-22292)	url:	https://www.cnvd.org.cn/patchInfo/show/213425	Trust: 0.6
title:	Advantech WebAccess Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=113162	Trust: 0.6

sources: CNVD: CNVD-2020-22292 // JVNDB: JVNDB-2019-015244 // CNNVD: CNNVD-202004-020

EXTERNAL IDS

db:	NVD	id:	CVE-2019-3942	Trust: 3.7
db:	TENABLE	id:	TRA-2019-15	Trust: 2.5
db:	CNNVD	id:	CNNVD-202004-020	Trust: 1.3
db:	CNVD	id:	CNVD-2020-22292	Trust: 1.2
db:	JVNDB	id:	JVNDB-2019-015244	Trust: 0.8
db:	IVD	id:	66FEF8D1-F250-4901-9E4C-AC55484F56D3	Trust: 0.2
db:	IVD	id:	39B72FC8-F6A4-4080-90FD-093C362FE043	Trust: 0.2
db:	IVD	id:	EFD64E2F-8A74-497E-9B91-FAF9825974A3	Trust: 0.2
db:	VULHUB	id:	VHN-155377	Trust: 0.1

sources: IVD: 66fef8d1-f250-4901-9e4c-ac55484f56d3 // IVD: 39b72fc8-f6a4-4080-90fd-093c362fe043 // IVD: efd64e2f-8a74-497e-9b91-faf9825974a3 // CNVD: CNVD-2020-22292 // VULHUB: VHN-155377 // JVNDB: JVNDB-2019-015244 // CNNVD: CNNVD-202004-020 // NVD: CVE-2019-3942

REFERENCES

url:	https://www.tenable.com/security/research/tra-2019-15	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3942	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3942	Trust: 0.8

sources: CNVD: CNVD-2020-22292 // VULHUB: VHN-155377 // JVNDB: JVNDB-2019-015244 // CNNVD: CNNVD-202004-020 // NVD: CVE-2019-3942

SOURCES

db:	IVD	id:	66fef8d1-f250-4901-9e4c-ac55484f56d3
db:	IVD	id:	39b72fc8-f6a4-4080-90fd-093c362fe043
db:	IVD	id:	efd64e2f-8a74-497e-9b91-faf9825974a3
db:	CNVD	id:	CNVD-2020-22292
db:	VULHUB	id:	VHN-155377
db:	JVNDB	id:	JVNDB-2019-015244
db:	CNNVD	id:	CNNVD-202004-020
db:	NVD	id:	CVE-2019-3942

LAST UPDATE DATE

2024-08-14T15:12:25.144000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-22292	date:	2020-04-11T00:00:00
db:	VULHUB	id:	VHN-155377	date:	2020-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-015244	date:	2020-04-21T00:00:00
db:	CNNVD	id:	CNNVD-202004-020	date:	2020-04-09T00:00:00
db:	NVD	id:	CVE-2019-3942	date:	2020-04-02T15:30:48.130

SOURCES RELEASE DATE

db:	IVD	id:	66fef8d1-f250-4901-9e4c-ac55484f56d3	date:	2020-04-01T00:00:00
db:	IVD	id:	39b72fc8-f6a4-4080-90fd-093c362fe043	date:	2020-04-01T00:00:00
db:	IVD	id:	efd64e2f-8a74-497e-9b91-faf9825974a3	date:	2020-04-01T00:00:00
db:	CNVD	id:	CNVD-2020-22292	date:	2020-04-11T00:00:00
db:	VULHUB	id:	VHN-155377	date:	2020-04-01T00:00:00
db:	JVNDB	id:	JVNDB-2019-015244	date:	2020-04-21T00:00:00
db:	CNNVD	id:	CNNVD-202004-020	date:	2020-04-01T00:00:00
db:	NVD	id:	CVE-2019-3942	date:	2020-04-01T17:15:14.830