Main Vulnerability Database Vulnerabilities #VU17383

Resource injection in InTouch Edge HMI and AVEVA Edge - CVE-2019-6545

Published: February 6, 2019 / Updated: June 17, 2021

Vulnerability identifier: #VU17383

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2019-6545

CWE-ID: CWE-99

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: AVEVA Software, LLC.

Affected software:
InTouch Edge HMI
AVEVA Edge

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the TCP/IP Server Task due to resource injection. A remote unauthenticated attacker can use a specially crafted database connection configuration file and execute arbitrary code under the program runtime privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2019-6545

Install update from vendor's website.

Sources

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec133.pdf

Resource injection in InTouch Edge HMI and AVEVA Edge - CVE-2019-6545

Detailed vulnerability description

How to mitigate CVE-2019-6545

Sources

Please verify you're human