CVE-2019-10952
CVSS V2 High 7.5
CVSS V3 Critical 9.8
Description
An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier systems.
Overview
- CVE ID
- CVE-2019-10952
- Assigner
- ics-cert@hq.dhs.gov
- Vulnerability Status
- Analyzed
- Published Version
- 2019-05-01T20:29:00
- Last Modified Date
- 2020-10-02T14:37:38
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| AND | ||||
| cpe:2.3:o:rockwellautomation:compactlogix_5370_l1_firmware:*:*:*:*:*:*:*:* | 1 | OR | 20.011 | 30.014 |
| cpe:2.3:h:rockwellautomation:compactlogix_5370_l1:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:o:rockwellautomation:compactlogix_5370_l2_firmware:*:*:*:*:*:*:*:* | 1 | OR | 20.011 | 30.014 |
| cpe:2.3:h:rockwellautomation:compactlogix_5370_l2:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:o:rockwellautomation:compactlogix_5370_l3_firmware:*:*:*:*:*:*:*:* | 1 | OR | 20.011 | 30.014 |
| cpe:2.3:h:rockwellautomation:compactlogix_5370_l3:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:o:rockwellautomation:armor_compact_guardlogix_5370_firmware:*:*:*:*:*:*:*:* | 1 | OR | 20.011 | 30.014 |
| cpe:2.3:h:rockwellautomation:armor_compact_guardlogix_5370:-:*:*:*:*:*:*:* | 0 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:N/C:P/I:P/A:P
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- PARTIAL
- Base Score
- 7.5
- Severity
- HIGH
- Exploitability Score
- 10
- Impact Score
- 6.4
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 9.8
- Base Severity
- CRITICAL
- Exploitability Score
- 3.9
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01 | Third Party Advisory US Government Resource |
| http://www.securityfocus.com/bid/108118 | Third Party Advisory VDB Entry |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2019-10952 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10952 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 17:10:59 | Added to TrackCVE | |||
| 2022-12-03 20:17:46 | 2019-05-01T20:29Z | 2019-05-01T20:29:00 | CVE Published Date | updated |
| 2022-12-03 20:17:46 | 2020-10-02T14:37:38 | CVE Modified Date | updated | |
| 2022-12-03 20:17:46 | Analyzed | Vulnerability Status | updated |