Lucene search

[email protected]CVE-2014-9186

HistoryApr 08, 2019 - 4:29 p.m.

CVE-2014-9186

2019-04-0816:29:00

CWE-98

CWE-20

[email protected]

web.nvd.nist.gov

cve-2014-9186

file inclusion

vulnerability

honeywell

experion pks

r40x

r41x

r43x

information disclosure

remote code execution

upgrade

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.6%

JSON

A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.

Affected configurations

NVD

Node

honeywellexperion_process_knowledge_systemRanger400–r400.6

honeywellexperion_process_knowledge_systemRanger410–r410.6

honeywellexperion_process_knowledge_systemRanger430–r430.2

CPENameOperatorVersion
honeywell:experion_process_knowledge_systemhoneywell experion process knowledge systemltr400.6
honeywell:experion_process_knowledge_systemhoneywell experion process knowledge systemltr410.6
honeywell:experion_process_knowledge_systemhoneywell experion process knowledge systemltr430.2

CPE	Name	Operator	Version
honeywell:experion_process_knowledge_system	honeywell experion process knowledge system	lt	r400.6
honeywell:experion_process_knowledge_system	honeywell experion process knowledge system	lt	r410.6
honeywell:experion_process_knowledge_system	honeywell experion process knowledge system	lt	r430.2

CNA Affected

[
  {
    "product": "Experion PKS",
    "vendor": "Honeywell",
    "versions": [
      {
        "status": "affected",
        "version": "R40x before R400.6"
      },
      {
        "status": "affected",
        "version": "R41x before R410.6"
      },
      {
        "status": "affected",
        "version": "R43x before R430.2"
      }
    ]
  }
]

References

ics-cert.us-cert.gov/advisories/ICSA-14-352-01

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.6%

JSON

Related for CVE-2014-9186

nvd1 prion1 cvelist1 ics1