Sign-up

ID

VAR-201305-0090


CVE

CVE-2013-0686


TITLE

Invensys Wonderware Information Server Information Disclosure Vulnerability

Trust: 0.8

sources: IVD: f4ac02f4-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05031

DESCRIPTION

Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Invensys Wonderware Information Server can centrally reflect web management solutions for production management. There are security vulnerabilities in the implementation of Wonderware Information Server 4.0 SP1, Wonderware Information Server 4.5 Portal, and Wonderware Information Server 5.0 Portal. A local attacker exploited this vulnerability to obtain sensitive information. Through the network solution, this product can conveniently display the factory performance indicators and production data to the operation, operation and maintenance and engineering personnel, and is widely used in petroleum, natural gas, chemical and other industries. Entity (XXE) issues

Trust: 2.7

sources: NVD: CVE-2013-0686 // JVNDB: JVNDB-2013-002605 // CNVD: CNVD-2013-05031 // BID: 59708 // IVD: f4ac02f4-2352-11e6-abef-000c29c66e3d // VULHUB: VHN-60688

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: f4ac02f4-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05031

AFFECTED PRODUCTS

vendor:invensysmodel:wonderware information serverscope:eqversion:4.5

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:4.0

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:5.0

Trust: 1.6

vendor:invensysmodel:wonderware information server sp1scope:eqversion:4.0

Trust: 0.9

vendor:invensysmodel:wonderware information server portalscope:eqversion:4.5

Trust: 0.9

vendor:invensysmodel:wonderware information serverscope:eqversion:4.0 sp1sp1

Trust: 0.8

vendor:invensysmodel:wonderware information serverscope:eqversion:4.5- portal

Trust: 0.8

vendor:invensysmodel:wonderware information serverscope:eqversion:5.0- portal

Trust: 0.8

vendor:wonderware information servermodel: - scope:eqversion:4.0

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:4.5

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:5.0

Trust: 0.2

sources: IVD: f4ac02f4-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05031 // BID: 59708 // JVNDB: JVNDB-2013-002605 // CNNVD: CNNVD-201305-138 // NVD: CVE-2013-0686

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-0686
value: HIGH

Trust: 1.0

NVD: CVE-2013-0686
value: HIGH

Trust: 0.8

CNVD: CNVD-2013-05031
value: LOW

Trust: 0.6

CNNVD: CNNVD-201305-138
value: CRITICAL

Trust: 0.6

IVD: f4ac02f4-2352-11e6-abef-000c29c66e3d
value: CRITICAL

Trust: 0.2

VULHUB: VHN-60688
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-0686
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-05031
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: f4ac02f4-2352-11e6-abef-000c29c66e3d
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-60688
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: f4ac02f4-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05031 // VULHUB: VHN-60688 // JVNDB: JVNDB-2013-002605 // CNNVD: CNNVD-201305-138 // NVD: CVE-2013-0686

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-60688 // JVNDB: JVNDB-2013-002605 // NVD: CVE-2013-0686

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201305-138

TYPE

Input validation

Trust: 0.8

sources: IVD: f4ac02f4-2352-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201305-138

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-002605

PATCH
title:Top Pageurl:http://global.wonderware.com/EN/Pages/default.aspx
Trust: 0.8
title:Wonderware 日本のパートナーurl:http://global.wonderware.com/JP/Pages/JpPartnersSI.aspx
Trust: 0.8
title:ハードウェア・パートナーurl:http://iom.invensys.com/JP/Pages/IOM_HardwarePartners.aspx
Trust: 0.8
title:ソフトウェア・パートナーurl:http://iom.invensys.com/JP/Pages/IOM_SoftwarePartners.aspx
Trust: 0.8
title:Wonderware Top Pageurl:http://iom.invensys.com/JP/Pages/home.aspx
Trust: 0.8
title:Patch for Invensys Wonderware Information Server Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/33857
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-05031 // 
            
            
            
            JVNDB: JVNDB-2013-002605

EXTERNAL IDS
db:NVDid:CVE-2013-0686
Trust: 3.6
db:ICS CERTid:ICSA-13-113-01
Trust: 3.4
db:BIDid:59708
Trust: 1.6
db:CNNVDid:CNNVD-201305-138
Trust: 0.9
db:CNVDid:CNVD-2013-05031
Trust: 0.8
db:JVNDBid:JVNDB-2013-002605
Trust: 0.8
db:SECUNIAid:53308
Trust: 0.6
db:IVDid:F4AC02F4-2352-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-60688
Trust: 0.1
sources:
            
            
            IVD: f4ac02f4-2352-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2013-05031 // 
            
            
            
            VULHUB: VHN-60688 // 
            
            
            
            BID: 59708 // 
            
            
            
            JVNDB: JVNDB-2013-002605 // 
            
            
            
            CNNVD: CNNVD-201305-138 // 
            
            
            
            NVD: CVE-2013-0686

REFERENCES
url:http://ics-cert.us-cert.gov/advisories/icsa-13-113-01
Trust: 3.4
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-0686
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0686
Trust: 0.8
url:http://secunia.com/advisories/53308
Trust: 0.6
url:http://www.securityfocus.com/bid/59708
Trust: 0.6
url:http://global.wonderware.com/en/pages/wonderwareinformationserver.aspx
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-05031 // 
            
            
            
            VULHUB: VHN-60688 // 
            
            
            
            BID: 59708 // 
            
            
            
            JVNDB: JVNDB-2013-002605 // 
            
            
            
            CNNVD: CNNVD-201305-138 // 
            
            
            
            NVD: CVE-2013-0686

CREDITS
Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team
Trust: 0.9
sources:
            
            
            BID: 59708 // 
            
            
            
            CNNVD: CNNVD-201305-138

SOURCES
db:IVDid:f4ac02f4-2352-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-05031
db:VULHUBid:VHN-60688
db:BIDid:59708
db:JVNDBid:JVNDB-2013-002605
db:CNNVDid:CNNVD-201305-138
db:NVDid:CVE-2013-0686

LAST UPDATE DATE
2025-04-11T22:53:19.541000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-05031date:2013-05-27T00:00:00
db:VULHUBid:VHN-60688date:2013-05-09T00:00:00
db:BIDid:59708date:2013-05-07T00:00:00
db:JVNDBid:JVNDB-2013-002605date:2013-05-10T00:00:00
db:CNNVDid:CNNVD-201305-138date:2013-05-17T00:00:00
db:NVDid:CVE-2013-0686date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:IVDid:f4ac02f4-2352-11e6-abef-000c29c66e3ddate:2013-05-10T00:00:00
db:CNVDid:CNVD-2013-05031date:2013-05-10T00:00:00
db:VULHUBid:VHN-60688date:2013-05-09T00:00:00
db:BIDid:59708date:2013-05-07T00:00:00
db:JVNDBid:JVNDB-2013-002605date:2013-05-10T00:00:00
db:CNNVDid:CNNVD-201305-138date:2013-05-17T00:00:00
db:NVDid:CVE-2013-0686date:2013-05-09T12:31:18.990