CVE-2019-10915 - OpenCVE

A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). The integrated configuration web application (TIA Administrator) allows to execute certain application commands without proper authentication. The vulnerability could be exploited by an attacker with local access to the affected system. Successful exploitation requires no privileges and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Siemens	Sinetplan Tia Administrator

Configuration 1 [-]

cpe:2.3:a:siemens:tia_administrator:1.0:sp1:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:siemens:sinetplan:2.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/109124
https://cert-portal.siemens.com/productcert/pdf/ssa-721298.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-834884.pdf
https://www.us-cert.gov/ics/advisories/icsa-19-253-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2019-07-11T21:17:46

Updated: 2024-08-04T22:40:15.369Z

Reserved: 2019-04-08T00:00:00

Link: CVE-2019-10915

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-11T22:15:11.047

Modified: 2020-10-02T14:29:36.723

Link: CVE-2019-10915

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "TIA Administrator", "vendor": "Siemens AG", "versions": [{"status": "affected", "version": "All versions < V1.0 SP1 Upd1"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). The integrated configuration web application (TIA Administrator) allows to execute certain application commands without proper authentication. The vulnerability could be exploited by an attacker with local access to the affected system. Successful exploitation requires no privileges and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-09-24T15:35:14", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-721298.pdf"}, {"name": "109124", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109124"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-834884.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-253-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2019-10915", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIA Administrator", "version": {"version_data": [{"version_value": "All versions < V1.0 SP1 Upd1"}]}}]}, "vendor_name": "Siemens AG"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). The integrated configuration web application (TIA Administrator) allows to execute certain application commands without proper authentication. The vulnerability could be exploited by an attacker with local access to the affected system. Successful exploitation requires no privileges and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306: Missing Authentication for Critical Function"}]}]}, "references": {"reference_data": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-721298.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-721298.pdf"}, {"name": "109124", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109124"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-834884.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-834884.pdf"}, {"name": "https://www.us-cert.gov/ics/advisories/icsa-19-253-02", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-253-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:40:15.369Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-721298.pdf"}, {"name": "109124", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/109124"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-834884.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-253-02"}]}]}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2019-10915", "datePublished": "2019-07-11T21:17:46", "dateReserved": "2019-04-08T00:00:00", "dateUpdated": "2024-08-04T22:40:15.369Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:tia_administrator:1.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "3DC7C974-2812-4760-B2AE-F264AD2335A9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinetplan:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "77BA7DF4-7836-43FC-8163-86F0F9BC2FB7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). The integrated configuration web application (TIA Administrator) allows to execute certain application commands without proper authentication. The vulnerability could be exploited by an attacker with local access to the affected system. Successful exploitation requires no privileges and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en TIA Administrator (todas las versiones anteriores a V1.0 SP1 Upd1). La aplicaci\u00f3n web de configuraci\u00f3n integrada (TIA Administrator) permite ejecutar determinados comandos de la aplicaci\u00f3n sin la autenticaci\u00f3n apropiada. La vulnerabilidad podr\u00eda ser explotada por un atacante con acceso local en el sistema afectado. La explotaci\u00f3n con \u00e9xito no requiere privilegios ni interacci\u00f3n con el usuario. Un atacante podr\u00eda usar la vulnerabilidad para comprometer la confidencialidad, la integridad y la disponibilidad del sistema afectado. En el momento de la publicaci\u00f3n de asesoramiento, no se conoc\u00eda la explotaci\u00f3n p\u00fablica de esta vulnerabilidad de seguridad."}], "id": "CVE-2019-10915", "lastModified": "2020-10-02T14:29:36.723", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-11T22:15:11.047", "references": [{"source": "productcert@siemens.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109124"}, {"source": "productcert@siemens.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-721298.pdf"}, {"source": "productcert@siemens.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-834884.pdf"}, {"source": "productcert@siemens.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-253-02"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "productcert@siemens.com", "type": "Secondary"}]}