CVE-2019-6544

GE Communicator, all versions prior to 4.0.517, has a service running with system privileges that may allow an unprivileged user to perform certain administrative actions, which may allow the execution of scheduled scripts with system administrator privileges. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.

CVSS v3 5.6 MEDIUM
CVSS v2.0 6.8 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02	Mitigation Third Party Advisory US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02	Mitigation Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:ge:ge_communicator:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:46

Type	Values Removed	Values Added
References	~~() https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02 - Mitigation, Third Party Advisory, US Government Resource~~	() https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02 - Mitigation, Third Party Advisory, US Government Resource

Information

Published : 2019-05-09 15:29

Updated : 2024-11-21 04:46

NVD link : CVE-2019-6544

Mitre link : CVE-2019-6544

CVE.ORG link : CVE-2019-6544

JSON object : View

Products Affected

ge

ge_communicator

CWE

CWE-284

Improper Access Control

NVD-CWE-Other

{"id": "CVE-2019-6544", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.2}]}, "published": "2019-05-09T15:29:04.903", "references": [{"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "GE Communicator, all versions prior to 4.0.517, has a service running with system privileges that may allow an unprivileged user to perform certain administrative actions, which may allow the execution of scheduled scripts with system administrator privileges. This service is inaccessible to attackers if Windows default firewall settings are used by the end user."}, {"lang": "es", "value": "GE Communicator, todas las versiones anteriores a 4.0.517, permite que un atacante ponga archivos maliciosos en el directorio de trabajo del programa, lo que puede permitir que un atacante manipule los widgets y los elementos de la interfaz de usuario (UI)."}], "lastModified": "2024-11-21T04:46:39.983", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ge:ge_communicator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "020CEAA5-F437-40FD-A486-F5EBDE01C00F", "versionEndExcluding": "4.0.517"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}