Details of VAR-201911-1768

ID

VAR-201911-1768

CVE

CVE-2019-18250

TITLE

ABB Power Generation Information Manager and Plant Connect Vulnerable to information leak from cache

Trust: 0.8

sources: JVNDB: JVNDB-2019-012893

DESCRIPTION

In all versions of ABB Power Generation Information Manager (PGIM) and Plant Connect, the affected product is vulnerable to authentication bypass, which may allow an attacker to remotely bypass authentication and extract credentials from the affected device. ABB Plant Connect is a plant monitoring and management system

Trust: 2.43

sources: NVD: CVE-2019-18250 // JVNDB: JVNDB-2019-012893 // CNVD: CNVD-2019-42428 // IVD: 341d6173-f25d-4d5d-bb74-f979e8ca0b60 // VULHUB: VHN-150578

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 341d6173-f25d-4d5d-bb74-f979e8ca0b60 // CNVD: CNVD-2019-42428

AFFECTED PRODUCTS

vendor:	abb	model:	power generation information manager	scope:	-	version:	-	Trust: 1.4
vendor:	abb	model:	plant connect	scope:	-	version:	-	Trust: 1.4
vendor:	abb	model:	plant connect	scope:	eq	version:	*	Trust: 1.0
vendor:	abb	model:	power generation information manager	scope:	eq	version:	*	Trust: 1.0
vendor:	plant connect	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	power generation information manager	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 341d6173-f25d-4d5d-bb74-f979e8ca0b60 // CNVD: CNVD-2019-42428 // JVNDB: JVNDB-2019-012893 // NVD: CVE-2019-18250

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-18250
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-18250
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-42428
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201911-997
value:	CRITICAL
Trust: 0.6
IVD:	341d6173-f25d-4d5d-bb74-f979e8ca0b60
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-150578
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-18250
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-42428
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	341d6173-f25d-4d5d-bb74-f979e8ca0b60
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-150578
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-18250
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-18250
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 341d6173-f25d-4d5d-bb74-f979e8ca0b60 // CNVD: CNVD-2019-42428 // VULHUB: VHN-150578 // JVNDB: JVNDB-2019-012893 // CNNVD: CNNVD-201911-997 // NVD: CVE-2019-18250

PROBLEMTYPE DATA

problemtype:	CWE-288	Trust: 1.0
problemtype:	CWE-287	Trust: 1.0
problemtype:	CWE-522	Trust: 0.9

sources: VULHUB: VHN-150578 // JVNDB: JVNDB-2019-012893 // NVD: CVE-2019-18250

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-997

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201911-997

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-012893

PATCH

title:	Top Page	url:	https://new.abb.com/	Trust: 0.8
title:	Patch for ABB Power Generation Information Manager (PGIM) and Plant Connect Security Validation Bypass Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/192105	Trust: 0.6
title:	ABB Power Generation Information Manager and Plant Connect Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=103772	Trust: 0.6

sources: CNVD: CNVD-2019-42428 // JVNDB: JVNDB-2019-012893 // CNNVD: CNNVD-201911-997

EXTERNAL IDS

db:	NVD	id:	CVE-2019-18250	Trust: 3.3
db:	ICS CERT	id:	ICSA-19-318-05	Trust: 3.1
db:	CNNVD	id:	CNNVD-201911-997	Trust: 0.9
db:	CNVD	id:	CNVD-2019-42428	Trust: 0.8
db:	JVNDB	id:	JVNDB-2019-012893	Trust: 0.8
db:	NSFOCUS	id:	47526	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.4312	Trust: 0.6
db:	IVD	id:	341D6173-F25D-4D5D-BB74-F979E8CA0B60	Trust: 0.2
db:	VULHUB	id:	VHN-150578	Trust: 0.1

sources: IVD: 341d6173-f25d-4d5d-bb74-f979e8ca0b60 // CNVD: CNVD-2019-42428 // VULHUB: VHN-150578 // JVNDB: JVNDB-2019-012893 // CNNVD: CNNVD-201911-997 // NVD: CVE-2019-18250

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-19-318-05	Trust: 3.1
url:	https://iotsecuritynews.com/abb-power-generation-information-manager-pgim-and-plant-connect/	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2019-18250	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18250	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/47526	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.4312/	Trust: 0.6

sources: CNVD: CNVD-2019-42428 // VULHUB: VHN-150578 // JVNDB: JVNDB-2019-012893 // CNNVD: CNNVD-201911-997 // NVD: CVE-2019-18250

SOURCES

db:	IVD	id:	341d6173-f25d-4d5d-bb74-f979e8ca0b60
db:	CNVD	id:	CNVD-2019-42428
db:	VULHUB	id:	VHN-150578
db:	JVNDB	id:	JVNDB-2019-012893
db:	CNNVD	id:	CNNVD-201911-997
db:	NVD	id:	CVE-2019-18250

LAST UPDATE DATE

2024-11-23T22:41:17.473000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-42428	date:	2019-11-27T00:00:00
db:	VULHUB	id:	VHN-150578	date:	2019-12-12T00:00:00
db:	JVNDB	id:	JVNDB-2019-012893	date:	2019-12-26T00:00:00
db:	CNNVD	id:	CNNVD-201911-997	date:	2021-11-02T00:00:00
db:	NVD	id:	CVE-2019-18250	date:	2024-11-21T04:32:55.277

SOURCES RELEASE DATE

db:	IVD	id:	341d6173-f25d-4d5d-bb74-f979e8ca0b60	date:	2019-11-27T00:00:00
db:	CNVD	id:	CNVD-2019-42428	date:	2019-11-27T00:00:00
db:	VULHUB	id:	VHN-150578	date:	2019-11-26T00:00:00
db:	JVNDB	id:	JVNDB-2019-012893	date:	2019-12-16T00:00:00
db:	CNNVD	id:	CNNVD-201911-997	date:	2019-11-14T00:00:00
db:	NVD	id:	CVE-2019-18250	date:	2019-11-26T00:15:11.780