Lucene search

K
cve[email protected]CVE-2019-6837
HistorySep 17, 2019 - 8:15 p.m.

CVE-2019-6837

2019-09-1720:15:12
CWE-918
web.nvd.nist.gov
90
2
cve-2019-6837
server-side request forgery
ssrf
cwe-918
u.motion server
meg6501-0001
meg6501-0002
meg6260-0410
meg6260-0415
url modification
data exposure

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.9%

A Server-Side Request Forgery (SSRF): CWE-918 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could cause server configuration data to be exposed when an attacker modifies a URL.

Affected configurations

NVD
Node
schneider-electricmeg6501-0001_firmwareRange<1.3.7
AND
schneider-electricmeg6501-0001Match-
Node
schneider-electricmeg6501-0002_firmwareRange<1.3.7
AND
schneider-electricmeg6501-0002Match-
Node
schneider-electricmeg6260-0410_firmwareRange<1.3.7
AND
schneider-electricmeg6260-0410Match-
Node
schneider-electricmeg6260-0415_firmwareRange<1.3.7
AND
schneider-electricmeg6260-0415Match-

CNA Affected

[
  {
    "product": "U.motion Server",
    "vendor": "CVE-2019-6837",
    "versions": [
      {
        "status": "affected",
        "version": "MEG6501-0001 - U.motion KNX server"
      },
      {
        "status": "affected",
        "version": "MEG6501-0002 - U.motion KNX Server Plus"
      },
      {
        "status": "affected",
        "version": "MEG6260-0410 - U.motion KNX Server Plus"
      },
      {
        "status": "affected",
        "version": "Touch 10"
      },
      {
        "status": "affected",
        "version": "MEG6260-0415 - U.motion KNX Server Plus"
      },
      {
        "status": "affected",
        "version": "Touch 15"
      }
    ]
  }
]

Social References

More

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.9%

Related for CVE-2019-6837