#VU21231 Improper Authorization in Niagara 4 Framework and Niagara AX Framework

Published: 2019-09-20

Vulnerability identifier: #VU21231

Vulnerability risk: Low

CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13528


Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Niagara 4 Framework
Universal components / Libraries / Scripting languages
Niagara AX Framework
Universal components / Libraries / Scripting languages

Vendor: Tridium


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to missing authorization checks. A local authenticated user can gain read access to privileged files.

The following versions are vulnerable:
  • Niagara AX 3.8u4: 
    • OS Dist: 2.7.402.2
    • NRE Config Dist: 3.8.401.1
  • Niagara 4.4u3:
    • OS Dist: NRE Config
    • Dist:
  • Niagara 4.7u1:
    • OS Dist: (JACE 8000)
    • OS Dist (Edge 10):
    • NRE Config Dist:

Contact vendor for available updates on support channel.

Vulnerable software versions

Niagara 4 Framework: -

Niagara AX Framework: 2.7.402.2

External links

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability