Details of VAR-201904-1231

ID

VAR-201904-1231

CVE

CVE-2019-10242

TITLE

Eclipse Kura Path traversal vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2019-003314 // CNNVD: CNNVD-201904-497

DESCRIPTION

In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked the path passed during servlet call, potentially allowing path traversal in get requests for a limited number of file types. Eclipse Kura Contains a path traversal vulnerability.Information may be obtained. Eclipse Kura is prone to the following vulnerabilities: 1. A directory traversal vulnerability 2. An information disclosure vulnerability 3. An XML External Entity injection information disclosure vulnerability Attackers can exploit these issues to obtain sensitive information that may aid in further attacks. Eclipse Kura through 4.0.0 are vulnerable

Trust: 2.43

sources: NVD: CVE-2019-10242 // JVNDB: JVNDB-2019-003314 // CNVD: CNVD-2019-38869 // BID: 107844

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-38869

AFFECTED PRODUCTS

vendor:	eclipse	model:	kura	scope:	lte	version:	4.0.0	Trust: 1.8
vendor:	eclipse	model:	kura	scope:	lte	version:	<=4.0.0	Trust: 0.6
vendor:	eclipse	model:	kura	scope:	eq	version:	4.0	Trust: 0.3
vendor:	eclipse	model:	kura	scope:	eq	version:	3.2	Trust: 0.3
vendor:	eclipse	model:	kura	scope:	eq	version:	3.1	Trust: 0.3
vendor:	eclipse	model:	kura	scope:	eq	version:	3.0	Trust: 0.3
vendor:	eclipse	model:	kura	scope:	eq	version:	2.1	Trust: 0.3
vendor:	eclipse	model:	kura	scope:	eq	version:	1.4	Trust: 0.3
vendor:	eclipse	model:	kura	scope:	eq	version:	1.2	Trust: 0.3
vendor:	eclipse	model:	kura	scope:	eq	version:	0.7.1	Trust: 0.3
vendor:	eclipse	model:	kura	scope:	ne	version:	4.1	Trust: 0.3

sources: CNVD: CNVD-2019-38869 // BID: 107844 // JVNDB: JVNDB-2019-003314 // NVD: CVE-2019-10242

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-10242
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-10242
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-38869
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201904-497
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2019-10242
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-38869
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-10242
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-38869 // JVNDB: JVNDB-2019-003314 // CNNVD: CNNVD-201904-497 // NVD: CVE-2019-10242

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2019-003314 // NVD: CVE-2019-10242

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-497

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201904-497

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003314

PATCH

title:	Bug 545833	url:	https://bugs.eclipse.org/bugs/show_bug.cgi?id=545833	Trust: 0.8
title:	Patch for Eclipse Kura directory traversal vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/188543	Trust: 0.6
title:	Eclipse Kura Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91317	Trust: 0.6

sources: CNVD: CNVD-2019-38869 // JVNDB: JVNDB-2019-003314 // CNNVD: CNNVD-201904-497

EXTERNAL IDS

db:	NVD	id:	CVE-2019-10242	Trust: 3.3
db:	BID	id:	107844	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-003314	Trust: 0.8
db:	CNVD	id:	CNVD-2019-38869	Trust: 0.6
db:	CNNVD	id:	CNNVD-201904-497	Trust: 0.6

sources: CNVD: CNVD-2019-38869 // BID: 107844 // JVNDB: JVNDB-2019-003314 // CNNVD: CNNVD-201904-497 // NVD: CVE-2019-10242

REFERENCES

url:	http://www.securityfocus.com/bid/107844	Trust: 2.8
url:	https://bugs.eclipse.org/bugs/show_bug.cgi?id=545835	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10242	Trust: 1.4
url:	https://bugs.eclipse.org/bugs/show_bug.cgi?id=545833	Trust: 0.9
url:	https://bugs.eclipse.org/bugs/show_bug.cgi?id=545834	Trust: 0.9
url:	https://github.com/eclipse/kura/pull/2368	Trust: 0.9
url:	https://www.eclipse.org/kura	Trust: 0.9
url:	https://github.com/eclipse/kura/pull/2305	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10242	Trust: 0.8

sources: CNVD: CNVD-2019-38869 // BID: 107844 // JVNDB: JVNDB-2019-003314 // CNNVD: CNNVD-201904-497 // NVD: CVE-2019-10242

CREDITS

Matteo Maiero

Trust: 0.9

sources: BID: 107844 // CNNVD: CNNVD-201904-497

SOURCES

db:	CNVD	id:	CNVD-2019-38869
db:	BID	id:	107844
db:	JVNDB	id:	JVNDB-2019-003314
db:	CNNVD	id:	CNNVD-201904-497
db:	NVD	id:	CVE-2019-10242

LAST UPDATE DATE

2024-11-23T21:59:59.086000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-38869	date:	2019-11-04T00:00:00
db:	BID	id:	107844	date:	2019-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-003314	date:	2019-05-14T00:00:00
db:	CNNVD	id:	CNNVD-201904-497	date:	2019-04-15T00:00:00
db:	NVD	id:	CVE-2019-10242	date:	2024-11-21T04:18:43.617

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-38869	date:	2019-11-04T00:00:00
db:	BID	id:	107844	date:	2019-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-003314	date:	2019-05-14T00:00:00
db:	CNNVD	id:	CNNVD-201904-497	date:	2019-04-09T00:00:00
db:	NVD	id:	CVE-2019-10242	date:	2019-04-09T16:29:01.507