Details of VAR-201810-1166

ID

VAR-201810-1166

CVE

CVE-2018-9280

TITLE

Eaton UPS 9PX Vulnerabilities related to certificate and password management in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-011621

DESCRIPTION

An issue was discovered on Eaton UPS 9PX 8000 SP devices. The appliance discloses the SNMP version 3 user's password. The web page displayed by the appliance contains the password in cleartext. Passwords of the read and write users could be retrieved by browsing the source code of the webpage. EatonUPS9PX8000SP is a power management device from Eaton Corporation of the United States. The EatonUPS9PX8000SP has a password disclosure vulnerability

Trust: 2.25

sources: NVD: CVE-2018-9280 // JVNDB: JVNDB-2018-011621 // CNVD: CNVD-2019-22859 // VULHUB: VHN-139312

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-22859

AFFECTED PRODUCTS

vendor:	eaton	model:	9px ups	scope:	eq	version:	-	Trust: 1.6
vendor:	eaton	model:	9px ups	scope:	eq	version:	8000 sp	Trust: 0.8
vendor:	eaton	model:	ups 9px sp	scope:	eq	version:	8000	Trust: 0.6

sources: CNVD: CNVD-2019-22859 // JVNDB: JVNDB-2018-011621 // CNNVD: CNNVD-201810-1231 // NVD: CVE-2018-9280

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-9280
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-9280
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-22859
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201810-1231
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-139312
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-9280
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-22859
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-139312
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-9280
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-22859 // VULHUB: VHN-139312 // JVNDB: JVNDB-2018-011621 // CNNVD: CNNVD-201810-1231 // NVD: CVE-2018-9280

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.1
problemtype:	CWE-255	Trust: 0.9

sources: VULHUB: VHN-139312 // JVNDB: JVNDB-2018-011621 // NVD: CVE-2018-9280

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1231

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201810-1231

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011621

PATCH

title:	Eaton 9PX UPS	url:	https://www.eaton.com/us/en-us/catalog/backup-power-ups-surge-it-power-distribution/eaton-9px-ups.html	Trust: 0.8
title:	EatonUPS9PX8000SP Password Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/169217	Trust: 0.6
title:	Eaton UPS 9PX 8000 SP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86314	Trust: 0.6

sources: CNVD: CNVD-2019-22859 // JVNDB: JVNDB-2018-011621 // CNNVD: CNNVD-201810-1231

EXTERNAL IDS

db:	NVD	id:	CVE-2018-9280	Trust: 3.1
db:	JVNDB	id:	JVNDB-2018-011621	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-1231	Trust: 0.7
db:	CNVD	id:	CNVD-2019-22859	Trust: 0.6
db:	VULHUB	id:	VHN-139312	Trust: 0.1

sources: CNVD: CNVD-2019-22859 // VULHUB: VHN-139312 // JVNDB: JVNDB-2018-011621 // CNNVD: CNNVD-201810-1231 // NVD: CVE-2018-9280

REFERENCES

url:	https://www.bishopfox.com/news/2018/10/eaton-ups-9px-8000-sp-multiple-vulnerabilities/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-9280	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9280	Trust: 0.8

sources: CNVD: CNVD-2019-22859 // VULHUB: VHN-139312 // JVNDB: JVNDB-2018-011621 // CNNVD: CNNVD-201810-1231 // NVD: CVE-2018-9280

SOURCES

db:	CNVD	id:	CNVD-2019-22859
db:	VULHUB	id:	VHN-139312
db:	JVNDB	id:	JVNDB-2018-011621
db:	CNNVD	id:	CNNVD-201810-1231
db:	NVD	id:	CVE-2018-9280

LAST UPDATE DATE

2024-11-23T22:41:39.563000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-22859	date:	2019-07-17T00:00:00
db:	VULHUB	id:	VHN-139312	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-011621	date:	2019-01-18T00:00:00
db:	CNNVD	id:	CNNVD-201810-1231	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-9280	date:	2024-11-21T04:15:16.980

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-22859	date:	2019-07-17T00:00:00
db:	VULHUB	id:	VHN-139312	date:	2018-10-24T00:00:00
db:	JVNDB	id:	JVNDB-2018-011621	date:	2019-01-18T00:00:00
db:	CNNVD	id:	CNNVD-201810-1231	date:	2018-10-25T00:00:00
db:	NVD	id:	CVE-2018-9280	date:	2018-10-24T21:29:01.593