Information disclosure in GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-19003 |
| CWE-ID | CWE-22 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
LS2100e Hardware solutions / Office equipment, IP-phones, print servers EX2100e_Reg Hardware solutions / Office equipment, IP-phones, print servers EX2100e Hardware solutions / Office equipment, IP-phones, print servers Mark VIe Hardware solutions / Office equipment, IP-phones, print servers |
| Vendor | GE |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Path traversal
EUVDB-ID: #VU16537
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19003
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows an adjacent unauthenticated attacker to obtain potentially sensitive information.
The vulnerability exists due to improper restriction of the ability of an attacker to gain access to restricted information. An adjacent attacker can conduct directory traversal attack and gain access to potentially sensitive information.
MitigationUpdate the affected products to the latest versions.
Vulnerable software versionsLS2100e: All versions
EX2100e_Reg: All versions
EX2100e: All versions
Mark VIe: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-18-347-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
