Details of VAR-201304-0006

ID

VAR-201304-0006

CVE

CVE-2012-4710

TITLE

Invensys Wonderware Win-XML Exporter XML External entity information disclosure vulnerability

Trust: 1.7

sources: IVD: 03c72976-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-03037 // BID: 58635 // CNNVD: CNNVD-201303-454

DESCRIPTION

Invensys Wonderware Win-XML Exporter 1522.148.0.0 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference. Invensys is a leading provider of automation and information technology, systems, software solutions, services and consulting for the manufacturing and infrastructure industries. Invensys Wonderware Win-XML has an information disclosure vulnerability. An attacker can exploit the vulnerability to gain sensitive information, which could lead to further attacks. An attacker could also exploit this vulnerability to cause a denial of service. Invensys Wonderware Win-XML Exporter is prone to an information-disclosure vulnerability

Trust: 2.7

sources: NVD: CVE-2012-4710 // JVNDB: JVNDB-2013-002150 // CNVD: CNVD-2013-03037 // BID: 58635 // IVD: 03c72976-2353-11e6-abef-000c29c66e3d // VULHUB: VHN-57991

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 03c72976-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-03037

AFFECTED PRODUCTS

vendor:	invensys	model:	wonderware win-xml exporter	scope:	eq	version:	1522.148.0.0	Trust: 3.3
vendor:	wonderware win xml exporter	model:	-	scope:	eq	version:	1522.148.0.0	Trust: 0.2

sources: IVD: 03c72976-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-03037 // BID: 58635 // JVNDB: JVNDB-2013-002150 // CNNVD: CNNVD-201303-454 // NVD: CVE-2012-4710

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2012-4710
value:	HIGH
Trust: 1.0
NVD:	CVE-2012-4710
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2013-03037
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201303-454
value:	CRITICAL
Trust: 0.6
IVD:	03c72976-2353-11e6-abef-000c29c66e3d
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-57991
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2012-4710
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-03037
severity:	MEDIUM
baseScore:	6.3
vectorString:	AV:L/AC:M/AU:N/C:C/I:N/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.4
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	03c72976-2353-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	6.3
vectorString:	AV:L/AC:M/AU:N/C:C/I:N/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.4
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-57991
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 03c72976-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-03037 // VULHUB: VHN-57991 // JVNDB: JVNDB-2013-002150 // CNNVD: CNNVD-201303-454 // NVD: CVE-2012-4710

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-57991 // JVNDB: JVNDB-2013-002150 // NVD: CVE-2012-4710

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201303-454

TYPE

Input validation

Trust: 0.8

sources: IVD: 03c72976-2353-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201303-454

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-002150

PATCH

title:	Top Page	url:	http://iom.invensys.com/EN/Pages/home.aspx	Trust: 0.8
title:	Wonderware 日本のパートナー	url:	http://global.wonderware.com/JP/Pages/JpPartnersSI.aspx	Trust: 0.8
title:	Wonderware Top Page	url:	http://global.wonderware.com/JP/pages/default.aspx	Trust: 0.8
title:	Invensys Wonderware Win-XML Exporter XML External Entity Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/33244	Trust: 0.6

sources: CNVD: CNVD-2013-03037 // JVNDB: JVNDB-2013-002150

EXTERNAL IDS

db:	NVD	id:	CVE-2012-4710	Trust: 3.6
db:	ICS CERT	id:	ICSA-13-067-02	Trust: 3.1
db:	BID	id:	58635	Trust: 1.6
db:	CNNVD	id:	CNNVD-201303-454	Trust: 0.9
db:	CNVD	id:	CNVD-2013-03037	Trust: 0.8
db:	JVNDB	id:	JVNDB-2013-002150	Trust: 0.8
db:	SECUNIA	id:	52731	Trust: 0.6
db:	ICS CERT	id:	ICSA-13-080-01	Trust: 0.3
db:	IVD	id:	03C72976-2353-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-57991	Trust: 0.1

sources: IVD: 03c72976-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-03037 // VULHUB: VHN-57991 // BID: 58635 // JVNDB: JVNDB-2013-002150 // CNNVD: CNNVD-201303-454 // NVD: CVE-2012-4710

REFERENCES

url:	http://ics-cert.us-cert.gov/pdf/icsa-13-067-02.pdf	Trust: 3.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4710	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-4710	Trust: 0.8
url:	http://secunia.com/advisories/52731	Trust: 0.6
url:	http://www.securityfocus.com/bid/58635	Trust: 0.6
url:	http://global.wonderware.com/en/pages/default.aspx	Trust: 0.3
url:	http://ics-cert.us-cert.gov/pdf/icsa-13-080-01.pdf	Trust: 0.3

sources: CNVD: CNVD-2013-03037 // VULHUB: VHN-57991 // BID: 58635 // JVNDB: JVNDB-2013-002150 // CNNVD: CNNVD-201303-454 // NVD: CVE-2012-4710

CREDITS

Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team

Trust: 0.9

sources: BID: 58635 // CNNVD: CNNVD-201303-454

SOURCES

db:	IVD	id:	03c72976-2353-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2013-03037
db:	VULHUB	id:	VHN-57991
db:	BID	id:	58635
db:	JVNDB	id:	JVNDB-2013-002150
db:	CNNVD	id:	CNNVD-201303-454
db:	NVD	id:	CVE-2012-4710

LAST UPDATE DATE

2025-04-11T23:08:47.051000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-03037	date:	2013-05-27T00:00:00
db:	VULHUB	id:	VHN-57991	date:	2013-04-04T00:00:00
db:	BID	id:	58635	date:	2013-03-21T00:00:00
db:	JVNDB	id:	JVNDB-2013-002150	date:	2013-04-05T00:00:00
db:	CNNVD	id:	CNNVD-201303-454	date:	2013-04-07T00:00:00
db:	NVD	id:	CVE-2012-4710	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	IVD	id:	03c72976-2353-11e6-abef-000c29c66e3d	date:	2013-04-15T00:00:00
db:	CNVD	id:	CNVD-2013-03037	date:	2013-04-15T00:00:00
db:	VULHUB	id:	VHN-57991	date:	2013-04-04T00:00:00
db:	BID	id:	58635	date:	2013-03-21T00:00:00
db:	JVNDB	id:	JVNDB-2013-002150	date:	2013-04-05T00:00:00
db:	CNNVD	id:	CNNVD-201303-454	date:	2013-03-22T00:00:00
db:	NVD	id:	CVE-2012-4710	date:	2013-04-04T16:55:01.037