CVE-2017-5158 - OpenCVE

An Information Exposure issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. Credentials may be exposed to external systems via specific URL parameters, as arbitrary destination addresses may be specified.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Aveva	Wonderware Intouch Access Anywhere

Configuration 1 [-]

cpe:2.3:a:aveva:wonderware_intouch_access_anywhere:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/
http://www.securityfocus.com/bid/97256
https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2017-04-20T19:00:00

Updated: 2024-08-05T14:55:35.144Z

Reserved: 2017-01-03T00:00:00

Link: CVE-2017-5158

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-04-20T20:59:00.440

Modified: 2021-09-09T13:31:32.243

Link: CVE-2017-5158

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Schneider Electric Wonderware InTouch Access Anywhere", "vendor": "n/a", "versions": [{"status": "affected", "version": "Schneider Electric Wonderware InTouch Access Anywhere"}]}], "datePublic": "2017-04-20T00:00:00", "descriptions": [{"lang": "en", "value": "An Information Exposure issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. Credentials may be exposed to external systems via specific URL parameters, as arbitrary destination addresses may be specified."}], "problemTypes": [{"descriptions": [{"description": "Information Exposure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-04-21T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/"}, {"name": "97256", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97256"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-5158", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Schneider Electric Wonderware InTouch Access Anywhere", "version": {"version_data": [{"version_value": "Schneider Electric Wonderware InTouch Access Anywhere"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An Information Exposure issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. Credentials may be exposed to external systems via specific URL parameters, as arbitrary destination addresses may be specified."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Exposure"}]}]}, "references": {"reference_data": [{"name": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/", "refsource": "MISC", "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/"}, {"name": "97256", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97256"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:55:35.144Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/"}, {"name": "97256", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/97256"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-5158", "datePublished": "2017-04-20T19:00:00", "dateReserved": "2017-01-03T00:00:00", "dateUpdated": "2024-08-05T14:55:35.144Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aveva:wonderware_intouch_access_anywhere:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AAD0ADB-82DF-42F2-BBE1-07C74BCEF971", "versionEndIncluding": "11.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Information Exposure issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. Credentials may be exposed to external systems via specific URL parameters, as arbitrary destination addresses may be specified."}, {"lang": "es", "value": "Se ha descubierto un problema de exposici\u00f3n de la informaci\u00f3n en Schneider Electric Wonderware InTouch Access Anywhere, versi\u00f3n 11.5.2 y en versiones anteriores. Las credenciales pueden estar expuestas a sistemas externos a trav\u00e9s de par\u00e1metros espec\u00edficos de URL, se pueden especificar direcciones de destino arbitrarias."}], "id": "CVE-2017-5158", "lastModified": "2021-09-09T13:31:32.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-20T20:59:00.440", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000114/"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97256"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}