CVE-2019-12532 - OpenCVE

Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Insyde	H2oelv H2offt H2ooae H2opcm H2osde H2ouve

Configuration 1 [-]

OR	cpe:2.3:a:insyde:h2oelv::::::::
	cpe:2.3:a:insyde:h2offt::::::::
	cpe:2.3:a:insyde:h2offt::::::::
	cpe:2.3:a:insyde:h2offt::::::::
	cpe:2.3:a:insyde:h2ooae::::::::
	cpe:2.3:a:insyde:h2opcm::::::::
	cpe:2.3:a:insyde:h2osde::::::::
	cpe:2.3:a:insyde:h2ouve::::::::

No data.

References

Link	Providers
https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/
https://security.netapp.com/advisory/ntap-20220223-0004/
https://www.insyde.com/security-pledge/SA-2019001

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-08-26T17:06:07

Updated: 2024-08-04T23:24:38.523Z

Reserved: 2019-06-02T00:00:00

Link: CVE-2019-12532

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-08-26T18:15:11.797

Modified: 2022-04-29T12:30:21.137

Link: CVE-2019-12532

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-08-12T00:00:00", "descriptions": [{"lang": "en", "value": "Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-23T17:06:21", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.insyde.com/security-pledge/SA-2019001"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220223-0004/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12532", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/", "refsource": "MISC", "url": "https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/"}, {"name": "https://www.insyde.com/security-pledge/SA-2019001", "refsource": "CONFIRM", "url": "https://www.insyde.com/security-pledge/SA-2019001"}, {"name": "https://security.netapp.com/advisory/ntap-20220223-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220223-0004/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:24:38.523Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.insyde.com/security-pledge/SA-2019001"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220223-0004/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12532", "datePublished": "2019-08-26T17:06:07", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.523Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:insyde:h2oelv:*:*:*:*:*:*:*:*", "matchCriteriaId": "A64F3B59-F104-4DEE-A196-DCBD76F790CC", "versionEndExcluding": "100.00.02.08", "vulnerable": true}, {"criteria": "cpe:2.3:a:insyde:h2offt:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BF51709-D72C-4E4E-B92D-B78553BDCE97", "versionEndIncluding": "5.28", "versionStartIncluding": "3.02", "vulnerable": true}, {"criteria": "cpe:2.3:a:insyde:h2offt:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A4D96B2-1C62-4F7D-95A5-9587808AE832", "versionEndIncluding": "100.00.08.23", "versionStartIncluding": "100.00.00.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:insyde:h2offt:*:*:*:*:*:*:*:*", "matchCriteriaId": "6894832B-0015-46A3-8BB5-46D35FE9F9D5", "versionEndIncluding": "200.00.00.05", "versionStartIncluding": "200.00.00.01", "vulnerable": true}, {"criteria": "cpe:2.3:a:insyde:h2ooae:*:*:*:*:*:*:*:*", "matchCriteriaId": "5410FBD1-F831-4740-991D-2A38C989FF8B", "versionEndExcluding": "200.00.00.02", "vulnerable": true}, {"criteria": "cpe:2.3:a:insyde:h2opcm:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B7CD64C-5D98-4457-A834-BC1DDC4C94BA", "versionEndExcluding": "100.00.06.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:insyde:h2osde:*:*:*:*:*:*:*:*", "matchCriteriaId": "B75D2834-4B85-4473-9B66-36A608C00C52", "versionEndExcluding": "200.00.00.07", "vulnerable": true}, {"criteria": "cpe:2.3:a:insyde:h2ouve:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C1B7A5E-F3AA-4AD3-AE9B-92D12C542753", "versionEndExcluding": "200.00.02.02", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08."}, {"lang": "es", "value": "El control de acceso inadecuado en las herramientas de software de Insyde puede permitir que un usuario autenticado permita potencialmente la escalada de privilegios o la divulgaci\u00f3n de informaci\u00f3n a trav\u00e9s del acceso local. Esta es una vulnerabilidad de software, no un problema de firmware. Las herramientas afectadas incluyen: H2OFFT versi\u00f3n 3.02 ~ 5.28, 100.00.00.00 ~ 100.00.08.23 y 200.00.00.01 ~ 200.00.00.05, H2OOAE antes de la versi\u00f3n 200.00.00.02, H2OSDE antes de la versi\u00f3n 200.00.00.07, H2OUVE antes de la versi\u00f3n 200.00.02.02, H2OPCM antes de la versi\u00f3n 100.00.06.00, H2OELV antes de la versi\u00f3n 100.00.02.08."}], "id": "CVE-2019-12532", "lastModified": "2022-04-29T12:30:21.137", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-26T18:15:11.797", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220223-0004/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.insyde.com/security-pledge/SA-2019001"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}