Details of VAR-201803-1847

ID

VAR-201803-1847

CVE

CVE-2018-7227

TITLE

Schneider Electric Pelco Sarix Professional Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2018-002605

DESCRIPTION

A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow retrieving of specially crafted URLs without authentication that can reveal sensitive information to an attacker. Schneider Electric Pelco Sarix Professional Contains an information disclosure vulnerability.Information may be obtained. SchneiderElectricPelcoSarixProfessional is a video surveillance device from Schneider Electric, France. A security vulnerability exists in SchneiderElectricPelcoSarixProfessional with firmware prior to 3.25.67. An attacker could exploit this vulnerability to obtain sensitive information. Information obtained may aid in further attacks

Trust: 2.43

sources: NVD: CVE-2018-7227 // JVNDB: JVNDB-2018-002605 // CNVD: CNVD-2018-05324 // BID: 105842

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-05324

AFFECTED PRODUCTS

vendor:	schneider electric	model:	imp519-1e	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	ibp219-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	ibp319-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	ibp519-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imps110-1e	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp219-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp519-1	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp319-1	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp219-1e	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp319-1e	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	ibps110-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp1110-1	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	mps110-1	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp519-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp319-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp219-1	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imps110-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp1110-1e	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	ibp1110-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	imp1110-1er	scope:	lt	version:	3.29.67	Trust: 1.0
vendor:	schneider electric	model:	ibp1110-1er	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	ibps110-1er	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	imp1110-1	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	imps110-1e	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric pelco sarix professional	scope:	lt	version:	3.29.67	Trust: 0.6
vendor:	schneider electric	model:	pelco sarix professional	scope:	eq	version:	03.29.65	Trust: 0.3
vendor:	schneider electric	model:	pelco sarix professional	scope:	eq	version:	03.29.63	Trust: 0.3
vendor:	schneider electric	model:	pelco sarix professional	scope:	eq	version:	03.29.59	Trust: 0.3
vendor:	schneider electric	model:	pelco sarix professional	scope:	eq	version:	03.29.51	Trust: 0.3
vendor:	schneider electric	model:	pelco sarix professional	scope:	ne	version:	03.29.67	Trust: 0.3

sources: CNVD: CNVD-2018-05324 // BID: 105842 // JVNDB: JVNDB-2018-002605 // NVD: CVE-2018-7227

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-7227
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-7227
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-05324
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201803-044
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-7227
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-05324
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-7227
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2018-7227
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2018-05324 // JVNDB: JVNDB-2018-002605 // CNNVD: CNNVD-201803-044 // NVD: CVE-2018-7227

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.0
problemtype:	CWE-200	Trust: 0.8

sources: JVNDB: JVNDB-2018-002605 // NVD: CVE-2018-7227

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-044

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201803-044

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-002605

PATCH

title:	SEVD-2018-058-01	url:	https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Id=9607912128&p_File_Name=SEVD-2018-058-01+Pelco+Sarix+Professional+V1.2.pdf&p_Doc_Ref=SEVD-2018-058-01	Trust: 0.8
title:	SchneiderElectricPelcoSarixProfessional Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/121565	Trust: 0.6
title:	Schneider Electric Pelco Sarix Professional Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78838	Trust: 0.6

sources: CNVD: CNVD-2018-05324 // JVNDB: JVNDB-2018-002605 // CNNVD: CNNVD-201803-044

EXTERNAL IDS

db:	NVD	id:	CVE-2018-7227	Trust: 3.3
db:	SCHNEIDER	id:	SEVD-2018-058-01	Trust: 1.9
db:	JVNDB	id:	JVNDB-2018-002605	Trust: 0.8
db:	CNVD	id:	CNVD-2018-05324	Trust: 0.6
db:	CNNVD	id:	CNNVD-201803-044	Trust: 0.6
db:	BID	id:	105842	Trust: 0.3

sources: CNVD: CNVD-2018-05324 // BID: 105842 // JVNDB: JVNDB-2018-002605 // CNNVD: CNNVD-201803-044 // NVD: CVE-2018-7227

REFERENCES

url:	https://www.schneider-electric.com/en/download/document/sevd-2018-058-01/	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-7227	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7227	Trust: 0.8
url:	www.controlmicrosystems.com	Trust: 0.3
url:	https://download.schneider-electric.com/files?p_endoctype=technical+leaflet&p_file_name=sevd-2018-058-01+pelco+sarix+professional+v1.2.pdf&p_doc_ref=sevd-2018-058-01	Trust: 0.3

sources: CNVD: CNVD-2018-05324 // BID: 105842 // JVNDB: JVNDB-2018-002605 // CNNVD: CNNVD-201803-044 // NVD: CVE-2018-7227

CREDITS

Deng Yongkai of NSFOCUS Security Team

Trust: 0.3

sources: BID: 105842

SOURCES

db:	CNVD	id:	CNVD-2018-05324
db:	BID	id:	105842
db:	JVNDB	id:	JVNDB-2018-002605
db:	CNNVD	id:	CNNVD-201803-044
db:	NVD	id:	CVE-2018-7227

LAST UPDATE DATE

2024-11-23T21:39:29.378000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-05324	date:	2018-03-15T00:00:00
db:	BID	id:	105842	date:	2018-09-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-002605	date:	2018-04-20T00:00:00
db:	CNNVD	id:	CNNVD-201803-044	date:	2022-02-07T00:00:00
db:	NVD	id:	CVE-2018-7227	date:	2024-11-21T04:11:49.580

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-05324	date:	2018-03-15T00:00:00
db:	BID	id:	105842	date:	2018-09-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-002605	date:	2018-04-20T00:00:00
db:	CNNVD	id:	CNNVD-201803-044	date:	2018-03-01T00:00:00
db:	NVD	id:	CVE-2018-7227	date:	2018-03-09T23:29:00.217