Main Vulnerability Database Vulnerabilities #VU17383

#VU17383 Resource injection in InTouch Edge HMI and AVEVA Edge - CVE-2019-6545

Published: February 6, 2019 / Updated: June 17, 2021

Vulnerability identifier: #VU17383

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2019-6545

CWE-ID: CWE-99

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
InTouch Edge HMI
AVEVA Edge

Software vendor:
AVEVA Software, LLC.

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the TCP/IP Server Task due to resource injection. A remote unauthenticated attacker can use a specially crafted database connection configuration file and execute arbitrary code under the program runtime privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

External links

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec133.pdf

#VU17383 Resource injection in InTouch Edge HMI and AVEVA Edge - CVE-2019-6545

Description

Remediation

External links

Please verify you're human