Sign-up

ID

VAR-201907-0584


CVE

CVE-2019-11990


TITLE

HPE UIoT Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-006721

DESCRIPTION

Security vulnerabilities in HPE UIoT versions 1.6, 1.5, 1.4.2, 1.4.1, 1.4.0, and 1.2.4.2 could allow unauthorized remote access and access to sensitive data. HPE has addressed this issue in HPE UIoT: * For customers with release UIoT 1.6, fixes are made available with 1.6 RP603 * For customers with release UIoT 1.5, fixes are made available with 1.5 RP503 HF3 * For customers with release older than 1.5, such as 1.4.0, 1.4.1, 1.4.2 and 1.2.4.2, the resolution will be to upgrade to 1.5 RP503 HF3 or 1.6 RP603 Customers are requested to upgrade to the updated versions or contact HPE support for further assistance. HPE UIoT Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. There are security holes in HPE UIoT. HPE UIoT is a universal IoT platform from Hewlett Packard Enterprise (HPE). The platform has functions such as data analysis, currency security and synchronization management. The following products and versions are affected: HPE UIoT Version 1.6, Version 1.5, Version 1.4.2, Version 1.4.1, Version 1.4.0, Version 1.2.4.2. HP UIoT is prone to an unauthorized-access vulnerability. HP UIoT versions 1.6, 1.5, 1.4.2, 1.4.1, 1.4.0, and 1.2.4.2 are vulnerable

Trust: 2.97

sources: NVD: CVE-2019-11990 // JVNDB: JVNDB-2019-006721 // CNVD: CNVD-2019-24255 // CNNVD: CNNVD-201907-1140 // BID: 109353

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-24255

AFFECTED PRODUCTS

vendor:hpmodel:universal internet of thingsscope:eqversion:1.4.0

Trust: 1.0

vendor:hpmodel:universal internet of thingsscope:eqversion:1.4.2

Trust: 1.0

vendor:hpmodel:universal internet of thingsscope:eqversion:1.5

Trust: 1.0

vendor:hpmodel:universal internet of thingsscope:eqversion:1.6

Trust: 1.0

vendor:hpmodel:universal internet of thingsscope:eqversion:1.4.1

Trust: 1.0

vendor:hpmodel:universal internet of thingsscope:eqversion:1.2.4.2

Trust: 1.0

vendor:hewlett packardmodel:hpe uiotscope:eqversion:1.2.4.2

Trust: 0.8

vendor:hewlett packardmodel:hpe uiotscope:eqversion:1.4.0

Trust: 0.8

vendor:hewlett packardmodel:hpe uiotscope:eqversion:1.4.1

Trust: 0.8

vendor:hewlett packardmodel:hpe uiotscope:eqversion:1.4.2

Trust: 0.8

vendor:hewlett packardmodel:hpe uiotscope:eqversion:1.5

Trust: 0.8

vendor:hewlett packardmodel:hpe uiotscope:eqversion:1.6

Trust: 0.8

vendor:hpemodel:uiotscope:eqversion:1.5

Trust: 0.6

vendor:hpemodel:uiotscope:eqversion:1.4.0

Trust: 0.6

vendor:hpemodel:uiotscope:eqversion:1.4.1

Trust: 0.6

vendor:hpemodel:uiotscope:eqversion:1.4.2

Trust: 0.6

vendor:hpemodel:uiotscope:eqversion:1.2.4.2

Trust: 0.6

vendor:hpemodel:uiotscope:eqversion:1.6

Trust: 0.6

vendor:hpmodel:uiotscope:eqversion:1.4.2

Trust: 0.3

vendor:hpmodel:uiotscope:eqversion:1.4.1

Trust: 0.3

vendor:hpmodel:uiotscope:eqversion:1.4

Trust: 0.3

vendor:hpmodel:uiotscope:eqversion:1.6

Trust: 0.3

vendor:hpmodel:uiotscope:eqversion:1.5

Trust: 0.3

vendor:hpmodel:uiotscope:eqversion:1.2.4.2

Trust: 0.3

vendor:hpmodel:uiot rp603scope:neversion:1.6

Trust: 0.3

vendor:hpmodel:uiot rp503 hf3scope:neversion:1.5

Trust: 0.3

sources: CNVD: CNVD-2019-24255 // BID: 109353 // JVNDB: JVNDB-2019-006721 // NVD: CVE-2019-11990

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11990
value: HIGH

Trust: 1.0

NVD: CVE-2019-11990
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-24255
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201907-1140
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-11990
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-24255
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-11990
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-24255 // JVNDB: JVNDB-2019-006721 // CNNVD: CNNVD-201907-1140 // NVD: CVE-2019-11990

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-284

Trust: 0.8

sources: JVNDB: JVNDB-2019-006721 // NVD: CVE-2019-11990

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-1140

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201907-1140

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006721

PATCH
title:hpesbhf03937en_usurl:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03937en_us
Trust: 0.8
title:Patch for HPE UIoT Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/171247
Trust: 0.6
title:HPE UIoT Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95137
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-24255 // 
            
            
            
            JVNDB: JVNDB-2019-006721 // 
            
            
            
            CNNVD: CNNVD-201907-1140

EXTERNAL IDS
db:NVDid:CVE-2019-11990
Trust: 3.3
db:JVNDBid:JVNDB-2019-006721
Trust: 0.8
db:CNVDid:CNVD-2019-24255
Trust: 0.6
db:CNNVDid:CNNVD-201907-1140
Trust: 0.6
db:BIDid:109353
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2019-24255 // 
            
            
            
            BID: 109353 // 
            
            
            
            JVNDB: JVNDB-2019-006721 // 
            
            
            
            CNNVD: CNNVD-201907-1140 // 
            
            
            
            NVD: CVE-2019-11990

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2019-11990
Trust: 2.0
url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03937en_us
Trust: 1.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11990
Trust: 0.8
url:http://www.hp.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2019-24255 // 
            
            
            
            BID: 109353 // 
            
            
            
            JVNDB: JVNDB-2019-006721 // 
            
            
            
            CNNVD: CNNVD-201907-1140 // 
            
            
            
            NVD: CVE-2019-11990

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 109353

SOURCES
db:CNVDid:CNVD-2019-24255
db:BIDid:109353
db:JVNDBid:JVNDB-2019-006721
db:CNNVDid:CNNVD-201907-1140
db:NVDid:CVE-2019-11990

LAST UPDATE DATE
2024-11-23T21:52:07.472000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-24255date:2019-07-25T00:00:00
db:BIDid:109353date:2019-07-05T00:00:00
db:JVNDBid:JVNDB-2019-006721date:2019-07-25T00:00:00
db:CNNVDid:CNNVD-201907-1140date:2020-08-25T00:00:00
db:NVDid:CVE-2019-11990date:2024-11-21T04:22:07.143

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-24255date:2019-07-24T00:00:00
db:BIDid:109353date:2019-07-05T00:00:00
db:JVNDBid:JVNDB-2019-006721date:2019-07-25T00:00:00
db:CNNVDid:CNNVD-201907-1140date:2019-07-19T00:00:00
db:NVDid:CVE-2019-11990date:2019-07-19T22:15:11.480