Details of VAR-201505-0070

ID

VAR-201505-0070

CVE

CVE-2015-1008

TITLE

Emerson AMS Device Manager In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-002810

DESCRIPTION

SQL injection vulnerability in Emerson AMS Device Manager before 13 allows remote authenticated users to gain privileges via malformed input. Emerson Electric AMS Device Manager is a set of fixed asset management software. The software provides predictive diagnostics, device configuration management and more. The attacker can submit the malformed input to the affected software. This vulnerability can be used to access the application and its data files with administrator privileges. An authenticated attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Trust: 2.61

sources: NVD: CVE-2015-1008 // JVNDB: JVNDB-2015-002810 // CNVD: CNVD-2015-03472 // BID: 74774 // IVD: 8eaadd14-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 8eaadd14-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-03472

AFFECTED PRODUCTS

vendor:	emerson	model:	ams device manager	scope:	lte	version:	12.5	Trust: 1.0
vendor:	emerson	model:	ams device manager	scope:	eq	version:	12.5	Trust: 0.9
vendor:	emerson	model:	ams device manager	scope:	lt	version:	13	Trust: 0.8
vendor:	emerson	model:	ams device manager	scope:	lte	version:	<=12.5	Trust: 0.6
vendor:	emerson	model:	ams device manager	scope:	eq	version:	12.4	Trust: 0.3
vendor:	emerson	model:	ams device manager	scope:	eq	version:	12.3	Trust: 0.3
vendor:	emerson	model:	ams device manager	scope:	eq	version:	12.2	Trust: 0.3
vendor:	emerson	model:	ams device manager	scope:	eq	version:	12.1	Trust: 0.3
vendor:	emerson	model:	ams device manager	scope:	eq	version:	12.0	Trust: 0.3
vendor:	ams device manager	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 8eaadd14-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-03472 // BID: 74774 // JVNDB: JVNDB-2015-002810 // CNNVD: CNNVD-201505-505 // NVD: CVE-2015-1008

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-1008
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-1008
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-03472
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201505-505
value:	MEDIUM
Trust: 0.6
IVD:	8eaadd14-2351-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2015-1008
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-03472
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:L/AC:L/AU:S/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	8eaadd14-2351-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:L/AC:L/AU:S/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 8eaadd14-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-03472 // JVNDB: JVNDB-2015-002810 // CNNVD: CNNVD-201505-505 // NVD: CVE-2015-1008

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2015-002810 // NVD: CVE-2015-1008

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-505

TYPE

SQL injection

Trust: 0.8

sources: IVD: 8eaadd14-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201505-505

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002810

PATCH

title:	DSN15003-2 AMS Device Manager SQL Injection Vulnerability	url:	http://community.emerson.com/process/emerson-exchange/operateandmanage/deltav/deltav_security/b/securitynotificationblog/archive/2015/04/16/dsn15003-2-ams-device-management-sql-injection-vulnerability	Trust: 0.8
title:	Emerson AMS Device Manager patch for local SQL injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/59067	Trust: 0.6

sources: CNVD: CNVD-2015-03472 // JVNDB: JVNDB-2015-002810

EXTERNAL IDS

db:	NVD	id:	CVE-2015-1008	Trust: 3.5
db:	ICS CERT	id:	ICSA-15-111-01	Trust: 3.3
db:	BID	id:	74774	Trust: 2.5
db:	CNVD	id:	CNVD-2015-03472	Trust: 0.8
db:	CNNVD	id:	CNNVD-201505-505	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-002810	Trust: 0.8
db:	IVD	id:	8EAADD14-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 8eaadd14-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-03472 // BID: 74774 // JVNDB: JVNDB-2015-002810 // CNNVD: CNNVD-201505-505 // NVD: CVE-2015-1008

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-111-01	Trust: 3.3
url:	http://community.emerson.com/process/emerson-exchange/operateandmanage/deltav/deltav_security/b/securitynotificationblog/archive/2015/04/16/dsn15003-2-ams-device-management-sql-injection-vulnerability	Trust: 1.6
url:	http://www.securityfocus.com/bid/74774	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1008	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1008	Trust: 0.8
url:	http://www2.emersonprocess.com/en-us/brands/amssuite/amsdevicemanager/pages/amsdevicemanager.aspx	Trust: 0.3

sources: CNVD: CNVD-2015-03472 // BID: 74774 // JVNDB: JVNDB-2015-002810 // CNNVD: CNNVD-201505-505 // NVD: CVE-2015-1008

CREDITS

Emerson Process Management

Trust: 0.9

sources: BID: 74774 // CNNVD: CNNVD-201505-505

SOURCES

db:	IVD	id:	8eaadd14-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-03472
db:	BID	id:	74774
db:	JVNDB	id:	JVNDB-2015-002810
db:	CNNVD	id:	CNNVD-201505-505
db:	NVD	id:	CVE-2015-1008

LAST UPDATE DATE

2025-04-13T23:25:14.495000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-03472	date:	2015-05-29T00:00:00
db:	BID	id:	74774	date:	2015-05-21T00:00:00
db:	JVNDB	id:	JVNDB-2015-002810	date:	2015-05-28T00:00:00
db:	CNNVD	id:	CNNVD-201505-505	date:	2015-05-26T00:00:00
db:	NVD	id:	CVE-2015-1008	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	8eaadd14-2351-11e6-abef-000c29c66e3d	date:	2015-05-29T00:00:00
db:	CNVD	id:	CNVD-2015-03472	date:	2015-05-29T00:00:00
db:	BID	id:	74774	date:	2015-05-21T00:00:00
db:	JVNDB	id:	JVNDB-2015-002810	date:	2015-05-28T00:00:00
db:	CNNVD	id:	CNNVD-201505-505	date:	2015-05-25T00:00:00
db:	NVD	id:	CVE-2015-1008	date:	2015-05-26T01:59:00.180