CVE-2017-20007 - OpenCVE

Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web application allows access to a certain path that contains sensitive information that could be used by an attacker to execute more sophisticated attacks. An unauthenticated remote attacker with access to the device´s web service could exploit this vulnerability in order to obtain different configuration files.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ingeteam	Ingepac Da Au Ingepac Da Au Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ingeteam:ingepac_da_au_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ingeteam:ingepac_da_au:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe-cert.es/en/early-warning/ics-advisories/information-exposure-ingepac-da-au

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2021-10-25T13:33:40.894090Z

Updated: 2024-09-17T00:51:13.127Z

Reserved: 2021-09-29T00:00:00

Link: CVE-2017-20007

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-25T14:15:08.537

Modified: 2021-10-28T20:01:35.243

Link: CVE-2017-20007

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "INGEPAC DA AU", "vendor": "Ingeteam", "versions": [{"lessThanOrEqual": "AUC_1.13.0.28", "status": "affected", "version": "AUC_1.13.0.28", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Industrial Cybersecurity team of S21sec, special mention to Jacinto Moral Matell\u00e1n."}], "datePublic": "2021-10-20T00:00:00", "descriptions": [{"lang": "en", "value": "Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web application allows access to a certain path that contains sensitive information that could be used by an attacker to execute more sophisticated attacks. An unauthenticated remote attacker with access to the device\u00b4s web service could exploit this vulnerability in order to obtain different configuration files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-25T13:33:40", "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/information-exposure-ingepac-da-au"}], "solutions": [{"lang": "en", "value": "All the firmware versions from AUC_1.14.0.29 fix this issue."}], "source": {"advisory": "INCIBE-2021-0429", "discovery": "EXTERNAL"}, "title": "Information Exposure in INGEPAC DA AU", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-coordination@incibe.es", "DATE_PUBLIC": "2021-10-20T09:00:00.000Z", "ID": "CVE-2017-20007", "STATE": "PUBLIC", "TITLE": "Information Exposure in INGEPAC DA AU"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "INGEPAC DA AU", "version": {"version_data": [{"version_affected": "<=", "version_name": "AUC_1.13.0.28", "version_value": "AUC_1.13.0.28"}]}}]}, "vendor_name": "Ingeteam"}]}}, "credit": [{"lang": "eng", "value": "Industrial Cybersecurity team of S21sec, special mention to Jacinto Moral Matell\u00e1n."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web application allows access to a certain path that contains sensitive information that could be used by an attacker to execute more sophisticated attacks. An unauthenticated remote attacker with access to the device\u00b4s web service could exploit this vulnerability in order to obtain different configuration files."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://www.incibe-cert.es/en/early-warning/ics-advisories/information-exposure-ingepac-da-au", "refsource": "CONFIRM", "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/information-exposure-ingepac-da-au"}]}, "solution": [{"lang": "en", "value": "All the firmware versions from AUC_1.14.0.29 fix this issue."}], "source": {"advisory": "INCIBE-2021-0429", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T21:45:24.444Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/information-exposure-ingepac-da-au"}]}]}, "cveMetadata": {"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "cveId": "CVE-2017-20007", "datePublished": "2021-10-25T13:33:40.894090Z", "dateReserved": "2021-09-29T00:00:00", "dateUpdated": "2024-09-17T00:51:13.127Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ingeteam:ingepac_da_au_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "69843CF9-1FDA-4003-9D98-B07D4A10500D", "versionEndIncluding": "auc_1.13.0.28", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ingeteam:ingepac_da_au:-:*:*:*:*:*:*:*", "matchCriteriaId": "704C1AD2-2698-4F05-801D-96E5231FFB24", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web application allows access to a certain path that contains sensitive information that could be used by an attacker to execute more sophisticated attacks. An unauthenticated remote attacker with access to the device\u00b4s web service could exploit this vulnerability in order to obtain different configuration files."}, {"lang": "es", "value": "La aplicaci\u00f3n web Ingeteam INGEPAC DA AU versiones AUC_1.13.0.28 (y anteriores), permiten el acceso a una determinada ruta que contiene informaci\u00f3n confidencial que podr\u00eda ser usada por un atacante para ejecutar ataques m\u00e1s sofisticados. Un atacante remoto no autenticado con acceso al servicio web del dispositivo podr\u00eda explotar esta vulnerabilidad para obtener diferentes archivos de configuraci\u00f3n"}], "id": "CVE-2017-20007", "lastModified": "2021-10-28T20:01:35.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2021-10-25T14:15:08.537", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/information-exposure-ingepac-da-au"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}