Details of VAR-201607-0385

ID

VAR-201607-0385

CVE

CVE-2016-4522

TITLE

Rockwell Automation FactoryTalk EnergyMetrix SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2016-05694 // CNNVD: CNNVD-201607-1000

DESCRIPTION

SQL injection vulnerability in Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Rockwell Automation FactoryTalk EnergyMetrix is a Web-based software management package for capturing, analyzing, storing, and sharing energy data from Rockwell Automation. Rockwell Automation FactoryTalk EnergyMetrix is prone to multiple security vulnerabilities. An attacker may exploit these issues to perform unauthorized actions or to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Trust: 2.7

sources: NVD: CVE-2016-4522 // JVNDB: JVNDB-2016-004093 // CNVD: CNVD-2016-05694 // BID: 92135 // IVD: 46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a // VULHUB: VHN-93341

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a // CNVD: CNVD-2016-05694

AFFECTED PRODUCTS

vendor:	rockwellautomation	model:	factorytalk energrymetrix	scope:	lte	version:	2.10.00	Trust: 1.0
vendor:	rockwell automation	model:	factorytalk energymetrix	scope:	lt	version:	2.20.00	Trust: 0.8
vendor:	rockwell	model:	automation factorytalk energymetrix	scope:	lt	version:	2.20.00	Trust: 0.6
vendor:	rockwellautomation	model:	factorytalk energrymetrix	scope:	eq	version:	2.10.00	Trust: 0.6
vendor:	rockwell	model:	automation factorytalk energymetrix	scope:	eq	version:	2.10	Trust: 0.3
vendor:	rockwell	model:	automation factorytalk energymetrix	scope:	ne	version:	2.30	Trust: 0.3
vendor:	rockwell	model:	automation factorytalk energymetrix	scope:	ne	version:	2.20	Trust: 0.3
vendor:	factorytalk energrymetrix	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a // CNVD: CNVD-2016-05694 // BID: 92135 // JVNDB: JVNDB-2016-004093 // CNNVD: CNNVD-201607-1000 // NVD: CVE-2016-4522

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-4522
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-4522
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2016-05694
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201607-1000
value:	HIGH
Trust: 0.6
IVD:	46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a
value:	HIGH
Trust: 0.2
VULHUB:	VHN-93341
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-4522
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-05694
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-93341
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-4522
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: 46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a // CNVD: CNVD-2016-05694 // VULHUB: VHN-93341 // JVNDB: JVNDB-2016-004093 // CNNVD: CNNVD-201607-1000 // NVD: CVE-2016-4522

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-93341 // JVNDB: JVNDB-2016-004093 // NVD: CVE-2016-4522

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201607-1000

TYPE

SQL injection

Trust: 0.8

sources: IVD: 46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a // CNNVD: CNNVD-201607-1000

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004093

PATCH

title:	FactoryTalk EnergyMetrix	url:	http://www.rockwellautomation.com/rockwellsoftware/products/factorytalk-energymetrix.page	Trust: 0.8
title:	Find Downloads	url:	http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?famID=1&crumb=112	Trust: 0.8
title:	Rockwell Automation FactoryTalk EnergyMetrix SQL Injection Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/79897	Trust: 0.6
title:	Rockwell Automation FactoryTalk EnergyMetrix SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63335	Trust: 0.6

sources: CNVD: CNVD-2016-05694 // JVNDB: JVNDB-2016-004093 // CNNVD: CNNVD-201607-1000

EXTERNAL IDS

db:	NVD	id:	CVE-2016-4522	Trust: 3.6
db:	ICS CERT	id:	ICSA-16-173-03	Trust: 3.4
db:	BID	id:	92135	Trust: 2.0
db:	CNNVD	id:	CNNVD-201607-1000	Trust: 0.9
db:	CNVD	id:	CNVD-2016-05694	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-004093	Trust: 0.8
db:	IVD	id:	46F26B90-9C3D-4E5F-BCEB-FC107B9E5B7A	Trust: 0.2
db:	VULHUB	id:	VHN-93341	Trust: 0.1

sources: IVD: 46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a // CNVD: CNVD-2016-05694 // VULHUB: VHN-93341 // BID: 92135 // JVNDB: JVNDB-2016-004093 // CNNVD: CNNVD-201607-1000 // NVD: CVE-2016-4522

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-173-03	Trust: 3.4
url:	http://www.securityfocus.com/bid/92135	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4522	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4522	Trust: 0.8
url:	http://www.rockwellautomation.com/	Trust: 0.3

sources: CNVD: CNVD-2016-05694 // VULHUB: VHN-93341 // BID: 92135 // JVNDB: JVNDB-2016-004093 // CNNVD: CNNVD-201607-1000 // NVD: CVE-2016-4522

CREDITS

Rockwell Automation

Trust: 0.3

sources: BID: 92135

SOURCES

db:	IVD	id:	46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a
db:	CNVD	id:	CNVD-2016-05694
db:	VULHUB	id:	VHN-93341
db:	BID	id:	92135
db:	JVNDB	id:	JVNDB-2016-004093
db:	CNNVD	id:	CNNVD-201607-1000
db:	NVD	id:	CVE-2016-4522

LAST UPDATE DATE

2025-04-13T23:09:34.539000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-05694	date:	2016-07-29T00:00:00
db:	VULHUB	id:	VHN-93341	date:	2016-11-28T00:00:00
db:	BID	id:	92135	date:	2016-07-26T00:00:00
db:	JVNDB	id:	JVNDB-2016-004093	date:	2016-08-01T00:00:00
db:	CNNVD	id:	CNNVD-201607-1000	date:	2016-07-28T00:00:00
db:	NVD	id:	CVE-2016-4522	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	46f26b90-9c3d-4e5f-bceb-fc107b9e5b7a	date:	2016-07-29T00:00:00
db:	CNVD	id:	CNVD-2016-05694	date:	2016-07-29T00:00:00
db:	VULHUB	id:	VHN-93341	date:	2016-07-28T00:00:00
db:	BID	id:	92135	date:	2016-07-26T00:00:00
db:	JVNDB	id:	JVNDB-2016-004093	date:	2016-08-01T00:00:00
db:	CNNVD	id:	CNNVD-201607-1000	date:	2016-07-28T00:00:00
db:	NVD	id:	CVE-2016-4522	date:	2016-07-28T02:02:11.543