Details of VAR-201810-1165

ID

VAR-201810-1165

CVE

CVE-2018-9279

TITLE

Eaton UPS 9PX Vulnerabilities related to certificate and password management in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-011620

DESCRIPTION

An issue was discovered on Eaton UPS 9PX 8000 SP devices. The appliance discloses the user's password. The web page displayed by the appliance contains the password in cleartext. Passwords could be retrieved by browsing the source code of the webpage. EatonUPS9PX8000SP is a power management device from Eaton Corporation of the United States

Trust: 2.25

sources: NVD: CVE-2018-9279 // JVNDB: JVNDB-2018-011620 // CNVD: CNVD-2019-22860 // VULHUB: VHN-139311

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-22860

AFFECTED PRODUCTS

vendor:	eaton	model:	9px ups	scope:	eq	version:	-	Trust: 1.6
vendor:	eaton	model:	9px ups	scope:	eq	version:	8000 sp	Trust: 0.8
vendor:	eaton	model:	ups 9px sp	scope:	eq	version:	8000	Trust: 0.6

sources: CNVD: CNVD-2019-22860 // JVNDB: JVNDB-2018-011620 // CNNVD: CNNVD-201810-1230 // NVD: CVE-2018-9279

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-9279
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-9279
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-22860
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201810-1230
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-139311
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-9279
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-22860
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-139311
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-9279
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-22860 // VULHUB: VHN-139311 // JVNDB: JVNDB-2018-011620 // CNNVD: CNNVD-201810-1230 // NVD: CVE-2018-9279

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.1
problemtype:	CWE-255	Trust: 0.9

sources: VULHUB: VHN-139311 // JVNDB: JVNDB-2018-011620 // NVD: CVE-2018-9279

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1230

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201810-1230

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011620

PATCH

title:	Eaton 9PX UPS	url:	https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-9px-ups.html	Trust: 0.8
title:	Patch for EatonUPS9PX8000SP Password Disclosure Vulnerability (CNVD-2019-22860)	url:	https://www.cnvd.org.cn/patchInfo/show/169221	Trust: 0.6
title:	Eaton UPS 9PX 8000 SP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86313	Trust: 0.6

sources: CNVD: CNVD-2019-22860 // JVNDB: JVNDB-2018-011620 // CNNVD: CNNVD-201810-1230

EXTERNAL IDS

db:	NVD	id:	CVE-2018-9279	Trust: 3.1
db:	JVNDB	id:	JVNDB-2018-011620	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-1230	Trust: 0.7
db:	CNVD	id:	CNVD-2019-22860	Trust: 0.6
db:	VULHUB	id:	VHN-139311	Trust: 0.1

sources: CNVD: CNVD-2019-22860 // VULHUB: VHN-139311 // JVNDB: JVNDB-2018-011620 // CNNVD: CNNVD-201810-1230 // NVD: CVE-2018-9279

REFERENCES

url:	https://www.bishopfox.com/news/2018/10/eaton-ups-9px-8000-sp-multiple-vulnerabilities/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-9279	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9279	Trust: 0.8

sources: CNVD: CNVD-2019-22860 // VULHUB: VHN-139311 // JVNDB: JVNDB-2018-011620 // CNNVD: CNNVD-201810-1230 // NVD: CVE-2018-9279

SOURCES

db:	CNVD	id:	CNVD-2019-22860
db:	VULHUB	id:	VHN-139311
db:	JVNDB	id:	JVNDB-2018-011620
db:	CNNVD	id:	CNNVD-201810-1230
db:	NVD	id:	CVE-2018-9279

LAST UPDATE DATE

2024-11-23T23:08:33.833000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-22860	date:	2019-07-17T00:00:00
db:	VULHUB	id:	VHN-139311	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-011620	date:	2019-01-18T00:00:00
db:	CNNVD	id:	CNNVD-201810-1230	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-9279	date:	2024-11-21T04:15:16.833

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-22860	date:	2019-07-17T00:00:00
db:	VULHUB	id:	VHN-139311	date:	2018-10-24T00:00:00
db:	JVNDB	id:	JVNDB-2018-011620	date:	2019-01-18T00:00:00
db:	CNNVD	id:	CNNVD-201810-1230	date:	2018-10-25T00:00:00
db:	NVD	id:	CVE-2018-9279	date:	2018-10-24T21:29:01.483