Sign-up

ID

VAR-201408-0350


CVE

CVE-2014-5398


TITLE

Schneider Electric Wonderware Information Server Vulnerable to reading arbitrary files

Trust: 0.8

sources: JVNDB: JVNDB-2014-003984

DESCRIPTION

Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Schneider Electric Wonderware Information Server (WIS) Any file can be read or service disruption (DoS) There are vulnerabilities that are put into a state. Invensys Wonderware Information Server is a graphical visualization, reporting and analysis of real-time network-based plant operations data that helps drive productivity across the enterprise. Invensys Wonderware Information Server has an information disclosure vulnerability that can be exploited by local attackers to obtain sensitive information. The program supports dashboards, pre-designed industrial activity reports, etc., and provides processes for analysis or write-back mechanisms. A security vulnerability exists in Schneider Electric WIS Portal versions 4.0 SP1 to 5.5

Trust: 2.7

sources: NVD: CVE-2014-5398 // JVNDB: JVNDB-2014-003984 // CNVD: CNVD-2014-05272 // BID: 69417 // IVD: dcecf3f4-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-73339

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: dcecf3f4-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-05272

AFFECTED PRODUCTS

vendor:invensysmodel:wonderware information serverscope:eqversion:5.5

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:4.5

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:4.0

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:5.0

Trust: 1.6

vendor:invensysmodel:wonderware information server sp1scope:eqversion:4.0

Trust: 0.9

vendor:invensysmodel:wonderware information server portalscope:eqversion:4.5

Trust: 0.9

vendor:invensysmodel:wonderware information serverscope:eqversion:portal 4.0 sp1 to 5.5

Trust: 0.8

vendor:invensysmodel:wonderware information server portalscope:eqversion:5.0

Trust: 0.6

vendor:invensysmodel:wonderware information server portalscope:eqversion:5.5

Trust: 0.6

vendor:wonderware information servermodel: - scope:eqversion:4.0

Trust: 0.4

vendor:wonderware information servermodel: - scope:eqversion:4.5

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:5.0

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:5.5

Trust: 0.2

sources: IVD: dcecf3f4-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-05272 // BID: 69417 // JVNDB: JVNDB-2014-003984 // CNNVD: CNNVD-201408-433 // NVD: CVE-2014-5398

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-5398
value: LOW

Trust: 1.0

NVD: CVE-2014-5398
value: LOW

Trust: 0.8

CNVD: CNVD-2014-05272
value: LOW

Trust: 0.6

CNNVD: CNNVD-201408-433
value: LOW

Trust: 0.6

IVD: dcecf3f4-2351-11e6-abef-000c29c66e3d
value: LOW

Trust: 0.2

VULHUB: VHN-73339
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-5398
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-05272
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: dcecf3f4-2351-11e6-abef-000c29c66e3d
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-73339
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: dcecf3f4-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-05272 // VULHUB: VHN-73339 // JVNDB: JVNDB-2014-003984 // CNNVD: CNNVD-201408-433 // NVD: CVE-2014-5398

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-73339 // JVNDB: JVNDB-2014-003984 // NVD: CVE-2014-5398

THREAT TYPE

local

Trust: 0.9

sources: BID: 69417 // CNNVD: CNNVD-201408-433

TYPE

Input validation

Trust: 0.8

sources: IVD: dcecf3f4-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201408-433

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003984

PATCH
title:Wonderware Information Serverurl:http://software.invensys.com/products/wonderware/production-information-management/information-server/
Trust: 0.8
title:Patch for Invensys Wonderware Information Server Information Disclosure Vulnerability (CNVD-2014-05272)url:https://www.cnvd.org.cn/patchInfo/show/49431
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-05272 // 
            
            
            
            JVNDB: JVNDB-2014-003984

EXTERNAL IDS
db:NVDid:CVE-2014-5398
Trust: 3.7
db:ICS CERTid:ICSA-14-238-02
Trust: 3.1
db:BIDid:69417
Trust: 1.0
db:CNNVDid:CNNVD-201408-433
Trust: 0.9
db:CNVDid:CNVD-2014-05272
Trust: 0.8
db:JVNDBid:JVNDB-2014-003984
Trust: 0.8
db:IVDid:DCECF3F4-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-73339
Trust: 0.1
db:PACKETSTORMid:128111
Trust: 0.1
sources:
            
            
            IVD: dcecf3f4-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-05272 // 
            
            
            
            VULHUB: VHN-73339 // 
            
            
            
            BID: 69417 // 
            
            
            
            JVNDB: JVNDB-2014-003984 // 
            
            
            
            PACKETSTORM: 128111 // 
            
            
            
            CNNVD: CNNVD-201408-433 // 
            
            
            
            NVD: CVE-2014-5398

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-14-238-02
Trust: 3.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5398
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5398
Trust: 0.8
url:http://www.securityfocus.com/bid/69417/info
Trust: 0.6
url:https://nvd.nist.gov/vuln/detail/cve-2014-5398
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-5399
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-5397
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-2381
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-2380
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-05272 // 
            
            
            
            VULHUB: VHN-73339 // 
            
            
            
            JVNDB: JVNDB-2014-003984 // 
            
            
            
            PACKETSTORM: 128111 // 
            
            
            
            CNNVD: CNNVD-201408-433 // 
            
            
            
            NVD: CVE-2014-5398

CREDITS
Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team
Trust: 0.3
sources:
            
            
            BID: 69417

SOURCES
db:IVDid:dcecf3f4-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-05272
db:VULHUBid:VHN-73339
db:BIDid:69417
db:JVNDBid:JVNDB-2014-003984
db:PACKETSTORMid:128111
db:CNNVDid:CNNVD-201408-433
db:NVDid:CVE-2014-5398

LAST UPDATE DATE
2025-04-13T23:04:56.157000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-05272date:2014-08-28T00:00:00
db:VULHUBid:VHN-73339date:2014-08-28T00:00:00
db:BIDid:69417date:2014-08-26T00:00:00
db:JVNDBid:JVNDB-2014-003984date:2014-08-29T00:00:00
db:CNNVDid:CNNVD-201408-433date:2014-08-29T00:00:00
db:NVDid:CVE-2014-5398date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:dcecf3f4-2351-11e6-abef-000c29c66e3ddate:2014-08-28T00:00:00
db:CNVDid:CNVD-2014-05272date:2014-08-28T00:00:00
db:VULHUBid:VHN-73339date:2014-08-28T00:00:00
db:BIDid:69417date:2014-08-26T00:00:00
db:JVNDBid:JVNDB-2014-003984date:2014-08-29T00:00:00
db:PACKETSTORMid:128111date:2014-09-01T14:55:55
db:CNNVDid:CNNVD-201408-433date:2014-08-29T00:00:00
db:NVDid:CVE-2014-5398date:2014-08-28T01:55:03.607