Main Vulnerability Database SB2019091303

SB2019091303 - Improper access control in CODESYS Control V3

Published: September 13, 2019

Security Bulletin ID SB2019091303

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Incorrect permission assignment for critical resource (CVE-ID: CVE-2019-9008)

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain access to unintended functionality on the target system.

The vulnerability exists in the CODESYS Control V3 online user management interface due to the software may incorrectly grant access to sub objects, even if the logged-in user does not have inherited permission to access them. A remote authenticated attacker can gain access to unintended functionality and/or information.

Remediation

Install update from vendor's website.

References

https://ics-cert.us-cert.gov/advisories/icsa-19-255-03

SB2019091303 - Improper access control in CODESYS Control V3

Breakdown by Severity

Description

Remediation

References

Please verify you're human