CVE-2019-10980

A type confusion vulnerability may be exploited when LAquis SCADA 4.3.1.71 processes a specially crafted project file. This may allow an attacker to execute remote code. The attacker must have local access to the system. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

CVSS v3 7.8 HIGH
CVSS v2.0 6.8 MEDIUM

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.us-cert.gov/ics/advisories/icsa-19-213-06	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:laquisscada:scada:4.3.1.71:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-08-05 19:15

Updated : 2023-12-10 12:59

NVD link : CVE-2019-10980

Mitre link : CVE-2019-10980

CVE.ORG link : CVE-2019-10980

JSON object : View

Products Affected

laquisscada

scada

CWE

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

{"id": "CVE-2019-10980", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2019-08-05T19:15:11.117", "references": [{"url": "https://www.us-cert.gov/ics/advisories/icsa-19-213-06", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-843"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-843"}]}], "descriptions": [{"lang": "en", "value": "A type confusion vulnerability may be exploited when LAquis SCADA 4.3.1.71 processes a specially crafted project file. This may allow an attacker to execute remote code. The attacker must have local access to the system. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)."}, {"lang": "es", "value": "Una vulnerabilidad de confusi\u00f3n de tipo puede ser explotada cuando LAquis SCADA versi\u00f3n 4.3.1.71, procesa un archivo de proyecto especialmente dise\u00f1ado. Esto puede permitir que un atacante ejecute c\u00f3digo remoto. El atacante requiere tener acceso local al sistema. Un puntaje base de CVSS v3 de 7.8 ha sido calculado; la cadena de vectores CVSS es (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)."}], "lastModified": "2020-10-02T14:12:42.757", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:laquisscada:scada:4.3.1.71:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00921E1E-7AD9-4AE5-8689-AD04A22FDA7C"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}