Sign-up

ID

VAR-201408-0351


CVE

CVE-2014-5399


TITLE

Schneider Electric Wonderware Information Server In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-003985

DESCRIPTION

SQL injection vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Invensys Wonderware Information Server can centrally reflect web management solutions for production management. Allows an attacker to compromise the application, access or modify data, or exploit potential vulnerabilities in the underlying database. The program supports dashboards, pre-designed industrial activity reports, etc., and provides processes for analysis or write-back mechanisms

Trust: 2.7

sources: NVD: CVE-2014-5399 // JVNDB: JVNDB-2014-003985 // CNVD: CNVD-2014-05273 // BID: 69416 // IVD: dbdb76fc-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-73340

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: dbdb76fc-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-05273

AFFECTED PRODUCTS

vendor:invensysmodel:wonderware information serverscope:eqversion:5.5

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:4.5

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:4.0

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:5.0

Trust: 1.6

vendor:invensysmodel:wonderware information server sp1scope:eqversion:4.0

Trust: 0.9

vendor:invensysmodel:wonderware information server portalscope:eqversion:4.5

Trust: 0.9

vendor:invensysmodel:wonderware information serverscope:eqversion:portal 4.0 sp1 to 5.5

Trust: 0.8

vendor:invensysmodel:wonderware information server portalscope:eqversion:5.0

Trust: 0.6

vendor:invensysmodel:wonderware information server portalscope:eqversion:5.5

Trust: 0.6

vendor:wonderware information servermodel: - scope:eqversion:4.0

Trust: 0.4

vendor:wonderware information servermodel: - scope:eqversion:4.5

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:5.0

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:5.5

Trust: 0.2

sources: IVD: dbdb76fc-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-05273 // BID: 69416 // JVNDB: JVNDB-2014-003985 // CNNVD: CNNVD-201408-434 // NVD: CVE-2014-5399

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-5399
value: HIGH

Trust: 1.0

NVD: CVE-2014-5399
value: HIGH

Trust: 0.8

CNVD: CNVD-2014-05273
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201408-434
value: HIGH

Trust: 0.6

IVD: dbdb76fc-2351-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

VULHUB: VHN-73340
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-5399
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-05273
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: dbdb76fc-2351-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-73340
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: dbdb76fc-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-05273 // VULHUB: VHN-73340 // JVNDB: JVNDB-2014-003985 // CNNVD: CNNVD-201408-434 // NVD: CVE-2014-5399

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-73340 // JVNDB: JVNDB-2014-003985 // NVD: CVE-2014-5399

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201408-434

TYPE

SQL injection

Trust: 0.8

sources: IVD: dbdb76fc-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201408-434

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003985

PATCH
title:Wonderware Information Serverurl:http://software.invensys.com/products/wonderware/production-information-management/information-server/
Trust: 0.8
title:Patch for Invensys Wonderware Information Server SQL Injection Vulnerability (CNVD-2014-05273)url:https://www.cnvd.org.cn/patchInfo/show/49432
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-05273 // 
            
            
            
            JVNDB: JVNDB-2014-003985

EXTERNAL IDS
db:NVDid:CVE-2014-5399
Trust: 3.7
db:ICS CERTid:ICSA-14-238-02
Trust: 3.4
db:BIDid:69416
Trust: 2.0
db:CNNVDid:CNNVD-201408-434
Trust: 0.9
db:CNVDid:CNVD-2014-05273
Trust: 0.8
db:JVNDBid:JVNDB-2014-003985
Trust: 0.8
db:IVDid:DBDB76FC-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-73340
Trust: 0.1
db:PACKETSTORMid:128111
Trust: 0.1
sources:
            
            
            IVD: dbdb76fc-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-05273 // 
            
            
            
            VULHUB: VHN-73340 // 
            
            
            
            BID: 69416 // 
            
            
            
            JVNDB: JVNDB-2014-003985 // 
            
            
            
            PACKETSTORM: 128111 // 
            
            
            
            CNNVD: CNNVD-201408-434 // 
            
            
            
            NVD: CVE-2014-5399

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-14-238-02
Trust: 3.4
url:http://www.securityfocus.com/bid/69416
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5399
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5399
Trust: 0.8
url:http://global.wonderware.com/en/pages/wonderwareinformationserver.aspx
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2014-5398
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-5399
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-5397
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-2381
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-2380
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-05273 // 
            
            
            
            VULHUB: VHN-73340 // 
            
            
            
            BID: 69416 // 
            
            
            
            JVNDB: JVNDB-2014-003985 // 
            
            
            
            PACKETSTORM: 128111 // 
            
            
            
            CNNVD: CNNVD-201408-434 // 
            
            
            
            NVD: CVE-2014-5399

CREDITS
Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team
Trust: 0.3
sources:
            
            
            BID: 69416

SOURCES
db:IVDid:dbdb76fc-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-05273
db:VULHUBid:VHN-73340
db:BIDid:69416
db:JVNDBid:JVNDB-2014-003985
db:PACKETSTORMid:128111
db:CNNVDid:CNNVD-201408-434
db:NVDid:CVE-2014-5399

LAST UPDATE DATE
2025-04-13T23:04:56.200000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-05273date:2014-08-28T00:00:00
db:VULHUBid:VHN-73340date:2015-11-02T00:00:00
db:BIDid:69416date:2015-03-19T09:15:00
db:JVNDBid:JVNDB-2014-003985date:2014-08-29T00:00:00
db:CNNVDid:CNNVD-201408-434date:2014-08-29T00:00:00
db:NVDid:CVE-2014-5399date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:dbdb76fc-2351-11e6-abef-000c29c66e3ddate:2014-08-28T00:00:00
db:CNVDid:CNVD-2014-05273date:2014-08-28T00:00:00
db:VULHUBid:VHN-73340date:2014-08-28T00:00:00
db:BIDid:69416date:2014-08-26T00:00:00
db:JVNDBid:JVNDB-2014-003985date:2014-08-29T00:00:00
db:PACKETSTORMid:128111date:2014-09-01T14:55:55
db:CNNVDid:CNNVD-201408-434date:2014-08-29T00:00:00
db:NVDid:CVE-2014-5399date:2014-08-28T01:55:03.653