Main Vulnerability Database Vulnerabilities #VU20897

#VU20897 Session Fixation in Pyxis Enterprise Server and Pyxis ES - CVE-2019-13517

Published: September 6, 2019

Vulnerability identifier: #VU20897

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-13517

CWE-ID: CWE-384

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
Pyxis Enterprise Server
Pyxis ES

Software vendor:
Becton, Dickinson and Company (BD)

Description

The vulnerability allows a local attacker to steal authenticated sessions.

The vulnerability exists due to the exists access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an Active Directory (AD) domain. A local authenticated user can use the AD credentials of a previously authenticated user to gain access to the device and obtain the patient data and medication.

Remediation

Install updates from vendor's website.

External links

https://ics-cert.us-cert.gov/advisories/icsma-19-248-01

#VU20897 Session Fixation in Pyxis Enterprise Server and Pyxis ES - CVE-2019-13517

Description

Remediation

External links

Please verify you're human