CVE-2014-9186

A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01	Third Party Advisory US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:honeywell:experion_process_knowledge_system::::::::
	cpe:2.3:a:honeywell:experion_process_knowledge_system::::::::
	cpe:2.3:a:honeywell:experion_process_knowledge_system::::::::

History

21 Nov 2024, 02:20

Type	Values Removed	Values Added
References	~~() https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01 - US Government Resource, Third Party Advisory~~	() https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01 - Third Party Advisory, US Government Resource

Information

Published : 2019-04-08 16:29

Updated : 2024-11-21 02:20

NVD link : CVE-2014-9186

Mitre link : CVE-2014-9186

CVE.ORG link : CVE-2014-9186

JSON object : View

Products Affected

honeywell

experion_process_knowledge_system

CWE

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE-20

Improper Input Validation

{"id": "CVE-2014-9186", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-04-08T16:29:00.493", "references": [{"url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-98"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de inclusi\u00f3n de archivos en el m\u00f3dulo confd.exe en Honeywell Experion PKS R40x anterior a R400.6, R41x anterior a R410.6 y R43x anterior a R430.2, lo que podr\u00eda conllevar a aceptar un archivo arbitrario en la funci\u00f3n y la posible divulgaci\u00f3n de informaci\u00f3n o ejecuci\u00f3n de c\u00f3digo remoto . Honeywell exhorta encarecidamente y recomienda a todos los clientes que ejecutan versiones no compatibles de EKPS anterior a R400 a actualizar a una versi\u00f3n compatible."}], "lastModified": "2024-11-21T02:20:21.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:honeywell:experion_process_knowledge_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E83AB48A-F78A-4D8E-8833-DFD95946F16A", "versionEndExcluding": "r400.6", "versionStartIncluding": "r400"}, {"criteria": "cpe:2.3:a:honeywell:experion_process_knowledge_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "899CC094-462B-4862-97D6-DAF1BDD70B5C", "versionEndExcluding": "r410.6", "versionStartIncluding": "r410"}, {"criteria": "cpe:2.3:a:honeywell:experion_process_knowledge_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19429BFB-4485-4F36-9DF9-3BD83DE3F1FD", "versionEndExcluding": "r430.2", "versionStartIncluding": "r430"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}

9.8 /10