CVE-2019-18995 - OpenCVE

The HMISimulator component of ABB PB610 Panel Builder 600 versions 2.8.0.424 and earlier fails to validate the content-length field for HTTP requests, exposing HMISimulator to denial of service via crafted HTTP requests manipulating the content-length setting.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Abb	Pb610 Panel Builder 600

Configuration 1 [-]

cpe:2.3:a:abb:pb610_panel_builder_600:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://search.abb.com/library/Download.aspx?DocumentID=3ADR010466&LanguageCode=en&DocumentPartId=&Action=Launch

History

No history.

MITRE

Status: PUBLISHED

Assigner: ABB

Published: 2019-12-18T20:19:34

Updated: 2024-08-05T02:02:40.045Z

Reserved: 2019-11-15T00:00:00

Link: CVE-2019-18995

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-12-18T21:15:13.397

Modified: 2019-12-31T16:36:07.567

Link: CVE-2019-18995

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "PB610 Panel Builder 600", "vendor": "ABB", "versions": [{"lessThanOrEqual": "2.8.0.424", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "NSFOCUS for providing vulnerability details and proof of concept."}], "descriptions": [{"lang": "en", "value": "The HMISimulator component of ABB PB610 Panel Builder 600 versions 2.8.0.424 and earlier fails to validate the content-length field for HTTP requests, exposing HMISimulator to denial of service via crafted HTTP requests manipulating the content-length setting."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-12-18T20:19:34", "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://search.abb.com/library/Download.aspx?DocumentID=3ADR010466&LanguageCode=en&DocumentPartId=&Action=Launch"}], "source": {"defect": ["ABBVU-RAMF-1908002"], "discovery": "UNKNOWN"}, "title": "ABB PB610 HMISimulator does not check content-length of the HTTP request", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@ch.abb.com", "ID": "CVE-2019-18995", "STATE": "PUBLIC", "TITLE": "ABB PB610 HMISimulator does not check content-length of the HTTP request"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PB610 Panel Builder 600", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.8.0.424"}]}}]}, "vendor_name": "ABB"}]}}, "credit": [{"lang": "eng", "value": "NSFOCUS for providing vulnerability details and proof of concept."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HMISimulator component of ABB PB610 Panel Builder 600 versions 2.8.0.424 and earlier fails to validate the content-length field for HTTP requests, exposing HMISimulator to denial of service via crafted HTTP requests manipulating the content-length setting."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "http://search.abb.com/library/Download.aspx?DocumentID=3ADR010466&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "MISC", "url": "http://search.abb.com/library/Download.aspx?DocumentID=3ADR010466&LanguageCode=en&DocumentPartId=&Action=Launch"}]}, "source": {"defect": ["ABBVU-RAMF-1908002"], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:02:40.045Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://search.abb.com/library/Download.aspx?DocumentID=3ADR010466&LanguageCode=en&DocumentPartId=&Action=Launch"}]}]}, "cveMetadata": {"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "assignerShortName": "ABB", "cveId": "CVE-2019-18995", "datePublished": "2019-12-18T20:19:34", "dateReserved": "2019-11-15T00:00:00", "dateUpdated": "2024-08-05T02:02:40.045Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:pb610_panel_builder_600:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A9714CC-B58C-4D3E-A618-8C8146032D6B", "versionEndIncluding": "2.8.0.424", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HMISimulator component of ABB PB610 Panel Builder 600 versions 2.8.0.424 and earlier fails to validate the content-length field for HTTP requests, exposing HMISimulator to denial of service via crafted HTTP requests manipulating the content-length setting."}, {"lang": "es", "value": "El componente HMISimulator de ABB PB610 Panel Builder 600 versiones 2.8.0.424 y anteriores, no comprueba el campo de longitud de contenido para peticiones HTTP, exponiendo HMISimulator a una denegaci\u00f3n de servicio por medio de peticiones HTTP dise\u00f1adas que manipulan la configuraci\u00f3n de longitud de contenido."}], "id": "CVE-2019-18995", "lastModified": "2019-12-31T16:36:07.567", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}, "published": "2019-12-18T21:15:13.397", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Third Party Advisory"], "url": "http://search.abb.com/library/Download.aspx?DocumentID=3ADR010466&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}