Sign-up

ID

VAR-201702-0304


CVE

CVE-2016-8357


TITLE

Lynxspring JENEsys BAS Bridge Vulnerability that allows arbitrary changes in applications with read-only access

Trust: 0.8

sources: JVNDB: JVNDB-2016-007646

DESCRIPTION

An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older. A user with read-only access can send commands to the software and the application will accept those commands. This would allow an attacker with read-only access to make changes within the application. Lynxspring is an American company. BAS Bridge is a web-based SCADA system. BAS server deployment areas include commercial facilities, manufacturing, energy, water and wastewater systems, and more. A privilege elevation vulnerability exists in Lynxspring JENEsys BAS Bridge. A privilege-escalation vulnerability 2. An authentication-bypass vulnerability 3. A security-bypass vulnerability 3. A cross-site request-forgery vulnerability An attackers may exploit these issues to gain unauthorized access to restricted content, bypass intended security restrictions, gain elevated privileges or perform certain unauthorized actions and gain access to the affected application that may aid in launching further attacks

Trust: 2.7

sources: NVD: CVE-2016-8357 // JVNDB: JVNDB-2016-007646 // CNVD: CNVD-2016-11246 // BID: 94344 // IVD: ea57ab05-fdbf-4e09-b273-cd238e1354b3 // VULMON: CVE-2016-8357

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: ea57ab05-fdbf-4e09-b273-cd238e1354b3 // CNVD: CNVD-2016-11246

AFFECTED PRODUCTS

vendor:lynxspringmodel:jenesys bas bridgescope:lteversion:1.1.8

Trust: 1.8

vendor:lynxspringmodel:bas bridgescope:eqversion:1.1.8

Trust: 0.9

vendor:lynxspringmodel:jenesys bas bridgescope:eqversion:1.1.8

Trust: 0.6

vendor:jenesys bas bridgemodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: ea57ab05-fdbf-4e09-b273-cd238e1354b3 // CNVD: CNVD-2016-11246 // BID: 94344 // JVNDB: JVNDB-2016-007646 // CNNVD: CNNVD-201611-546 // NVD: CVE-2016-8357

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-8357
value: HIGH

Trust: 1.0

NVD: CVE-2016-8357
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-11246
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201611-546
value: MEDIUM

Trust: 0.6

IVD: ea57ab05-fdbf-4e09-b273-cd238e1354b3
value: MEDIUM

Trust: 0.2

VULMON: CVE-2016-8357
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-8357
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2016-11246
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:S/C:P/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: ea57ab05-fdbf-4e09-b273-cd238e1354b3
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:S/C:P/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2016-8357
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 4.2
version: 3.0

Trust: 1.8

sources: IVD: ea57ab05-fdbf-4e09-b273-cd238e1354b3 // CNVD: CNVD-2016-11246 // VULMON: CVE-2016-8357 // JVNDB: JVNDB-2016-007646 // CNNVD: CNNVD-201611-546 // NVD: CVE-2016-8357

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2016-007646 // NVD: CVE-2016-8357

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201611-546

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201611-546

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007646

PATCH
title:Top Pageurl:http://www.lynxspring.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2016-007646

EXTERNAL IDS
db:NVDid:CVE-2016-8357
Trust: 3.6
db:ICS CERTid:ICSA-16-320-01
Trust: 3.4
db:BIDid:94344
Trust: 2.6
db:CNVDid:CNVD-2016-11246
Trust: 0.8
db:CNNVDid:CNNVD-201611-546
Trust: 0.8
db:JVNDBid:JVNDB-2016-007646
Trust: 0.8
db:IVDid:EA57AB05-FDBF-4E09-B273-CD238E1354B3
Trust: 0.2
db:VULMONid:CVE-2016-8357
Trust: 0.1
sources:
            
            
            IVD: ea57ab05-fdbf-4e09-b273-cd238e1354b3 // 
            
            
            
            CNVD: CNVD-2016-11246 // 
            
            
            
            VULMON: CVE-2016-8357 // 
            
            
            
            BID: 94344 // 
            
            
            
            JVNDB: JVNDB-2016-007646 // 
            
            
            
            CNNVD: CNNVD-201611-546 // 
            
            
            
            NVD: CVE-2016-8357

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-320-01
Trust: 3.5
url:http://www.securityfocus.com/bid/94344
Trust: 1.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8357
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8357
Trust: 0.8
url:http://www.lynxspring.com/technology/jenesys
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/264.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-11246 // 
            
            
            
            VULMON: CVE-2016-8357 // 
            
            
            
            BID: 94344 // 
            
            
            
            JVNDB: JVNDB-2016-007646 // 
            
            
            
            CNNVD: CNNVD-201611-546 // 
            
            
            
            NVD: CVE-2016-8357

CREDITS
Maxim Rupp
Trust: 0.9
sources:
            
            
            BID: 94344 // 
            
            
            
            CNNVD: CNNVD-201611-546

SOURCES
db:IVDid:ea57ab05-fdbf-4e09-b273-cd238e1354b3
db:CNVDid:CNVD-2016-11246
db:VULMONid:CVE-2016-8357
db:BIDid:94344
db:JVNDBid:JVNDB-2016-007646
db:CNNVDid:CNNVD-201611-546
db:NVDid:CVE-2016-8357

LAST UPDATE DATE
2025-04-20T23:29:45.746000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-11246date:2016-11-17T00:00:00
db:VULMONid:CVE-2016-8357date:2017-02-17T00:00:00
db:BIDid:94344date:2016-11-24T01:10:00
db:JVNDBid:JVNDB-2016-007646date:2017-03-08T00:00:00
db:CNNVDid:CNNVD-201611-546date:2016-11-25T00:00:00
db:NVDid:CVE-2016-8357date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:ea57ab05-fdbf-4e09-b273-cd238e1354b3date:2016-11-17T00:00:00
db:CNVDid:CNVD-2016-11246date:2016-11-17T00:00:00
db:VULMONid:CVE-2016-8357date:2017-02-13T00:00:00
db:BIDid:94344date:2016-11-15T00:00:00
db:JVNDBid:JVNDB-2016-007646date:2017-03-08T00:00:00
db:CNNVDid:CNNVD-201611-546date:2016-11-25T00:00:00
db:NVDid:CVE-2016-8357date:2017-02-13T21:59:00.923