CVE-2019-18339
published 2019-12-12CVE-2019-18339: A vulnerability has been identified in SiNVR/SiVMS Video Server (All versions < V5.0.0). The HTTP service (default port 5401/tcp) of the SiVMS/SiNVR Video…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.65%
83.7th percentile
A vulnerability has been identified in SiNVR/SiVMS Video Server (All versions < V5.0.0). The HTTP service (default port 5401/tcp) of the SiVMS/SiNVR Video Server
contains an authentication bypass vulnerability, even when properly
configured with enforced authentication.
A remote attacker with network access to the Video Server could
exploit this vulnerability to read the SiVMS/SiNVR users database, including
the passwords of all users in obfuscated cleartext.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| siemens | sinvr_sivms_video_server | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-372q-jmw9-5mw6: A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions)
ghsa_unreviewed·2022-05-24
CVE-2019-18339 [CRITICAL] CWE-306 GHSA-372q-jmw9-5mw6: A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions)
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The HTTP service (default port 5401/tcp) of the SiNVR 3 Video Server contains an authentication bypass vulnerability, even when properly configured with enforced authentication. A remote attacker with network access to the Video Server could exploit this vulnerability to read the SiNVR users database, including the passwords of all users in obfuscated cleartext.
CISA ICS
Siemens and PKE SiNVR, SiVMS Video Server (Update A)
cisa_ics·2019-12-10·CVSS 4.9
[MEDIUM] Siemens and PKE SiNVR, SiVMS Video Server (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens and PKE SiNVR, SiVMS Video Server (Update A)
Last RevisedApril 14, 2021
Alert CodeICSA-19-344-02
## 1. EXECUTIVE SUMMARY
--------- Begin Update A Part 1 of 6 ---------
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendors: Siemens and PKE
- Equipment: SiNVR, SiVMS Video Servers
- Vulnerabilities: Missing Authentication for Critical Function, Weak Cryptography for Passwords
--------- End Update A Part 1 of 6 ---------
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-19-344-02 Siemens SiNVR
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-12-12
Published