Sign-up

ID

VAR-201702-0076


CVE

CVE-2016-8369


TITLE

Lynxspring JENEsys BAS Bridge Cross-Site Request Forgery Vulnerability

Trust: 1.4

sources: IVD: 9cac3a7e-7e99-4f38-b27e-c99367a1891a // CNVD: CNVD-2016-11243 // CNNVD: CNNVD-201611-549

DESCRIPTION

An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. The application does not sufficiently verify if a request was intentionally provided by the user who submitted the request (CROSS-SITE REQUEST FORGERY). Lynxspring is an American company. BAS Bridge is a web-based SCADA system. BAS server deployment areas include commercial facilities, manufacturing, energy, water and wastewater systems, and more. The application was not fully validated by the application. An attacker can exploit a vulnerability to create or delete users. A privilege-escalation vulnerability 2. An authentication-bypass vulnerability 3. A security-bypass vulnerability 3. A cross-site request-forgery vulnerability An attackers may exploit these issues to gain unauthorized access to restricted content, bypass intended security restrictions, gain elevated privileges or perform certain unauthorized actions and gain access to the affected application that may aid in launching further attacks

Trust: 2.61

sources: NVD: CVE-2016-8369 // JVNDB: JVNDB-2016-007648 // CNVD: CNVD-2016-11243 // BID: 94344 // IVD: 9cac3a7e-7e99-4f38-b27e-c99367a1891a

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 9cac3a7e-7e99-4f38-b27e-c99367a1891a // CNVD: CNVD-2016-11243

AFFECTED PRODUCTS

vendor:lynxspringmodel:jenesys bas bridgescope:lteversion:1.1.8

Trust: 1.8

vendor:lynxspringmodel:bas bridgescope:eqversion:1.1.8

Trust: 0.9

vendor:lynxspringmodel:jenesys bas bridgescope:eqversion:1.1.8

Trust: 0.6

vendor:jenesys bas bridgemodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 9cac3a7e-7e99-4f38-b27e-c99367a1891a // CNVD: CNVD-2016-11243 // BID: 94344 // JVNDB: JVNDB-2016-007648 // CNNVD: CNNVD-201611-549 // NVD: CVE-2016-8369

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-8369
value: HIGH

Trust: 1.0

NVD: CVE-2016-8369
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-11243
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201611-549
value: MEDIUM

Trust: 0.6

IVD: 9cac3a7e-7e99-4f38-b27e-c99367a1891a
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2016-8369
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-11243
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 9cac3a7e-7e99-4f38-b27e-c99367a1891a
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-8369
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: 9cac3a7e-7e99-4f38-b27e-c99367a1891a // CNVD: CNVD-2016-11243 // JVNDB: JVNDB-2016-007648 // CNNVD: CNNVD-201611-549 // NVD: CVE-2016-8369

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.8

sources: JVNDB: JVNDB-2016-007648 // NVD: CVE-2016-8369

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201611-549

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201611-549

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007648

PATCH
title:Top Pageurl:http://www.lynxspring.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2016-007648

EXTERNAL IDS
db:NVDid:CVE-2016-8369
Trust: 3.5
db:ICS CERTid:ICSA-16-320-01
Trust: 3.3
db:BIDid:94344
Trust: 2.5
db:CNVDid:CNVD-2016-11243
Trust: 0.8
db:CNNVDid:CNNVD-201611-549
Trust: 0.8
db:JVNDBid:JVNDB-2016-007648
Trust: 0.8
db:IVDid:9CAC3A7E-7E99-4F38-B27E-C99367A1891A
Trust: 0.2
sources:
            
            
            IVD: 9cac3a7e-7e99-4f38-b27e-c99367a1891a // 
            
            
            
            CNVD: CNVD-2016-11243 // 
            
            
            
            BID: 94344 // 
            
            
            
            JVNDB: JVNDB-2016-007648 // 
            
            
            
            CNNVD: CNNVD-201611-549 // 
            
            
            
            NVD: CVE-2016-8369

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-320-01
Trust: 3.3
url:http://www.securityfocus.com/bid/94344
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8369
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8369
Trust: 0.8
url:http://www.lynxspring.com/technology/jenesys
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-11243 // 
            
            
            
            BID: 94344 // 
            
            
            
            JVNDB: JVNDB-2016-007648 // 
            
            
            
            CNNVD: CNNVD-201611-549 // 
            
            
            
            NVD: CVE-2016-8369

CREDITS
Maxim Rupp
Trust: 0.9
sources:
            
            
            BID: 94344 // 
            
            
            
            CNNVD: CNNVD-201611-549

SOURCES
db:IVDid:9cac3a7e-7e99-4f38-b27e-c99367a1891a
db:CNVDid:CNVD-2016-11243
db:BIDid:94344
db:JVNDBid:JVNDB-2016-007648
db:CNNVDid:CNNVD-201611-549
db:NVDid:CVE-2016-8369

LAST UPDATE DATE
2025-04-20T23:29:45.672000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-11243date:2016-11-17T00:00:00
db:BIDid:94344date:2016-11-24T01:10:00
db:JVNDBid:JVNDB-2016-007648date:2017-03-08T00:00:00
db:CNNVDid:CNNVD-201611-549date:2016-11-25T00:00:00
db:NVDid:CVE-2016-8369date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:9cac3a7e-7e99-4f38-b27e-c99367a1891adate:2016-11-17T00:00:00
db:CNVDid:CNVD-2016-11243date:2016-11-17T00:00:00
db:BIDid:94344date:2016-11-15T00:00:00
db:JVNDBid:JVNDB-2016-007648date:2017-03-08T00:00:00
db:CNNVDid:CNNVD-201611-549date:2016-11-25T00:00:00
db:NVDid:CVE-2016-8369date:2017-02-13T21:59:01.207