CVE-2019-7672
published 2019-06-05CVE-2019-7672: Prima Systems FlexAir, Versions 2.3.38 and prior. The flash version of the web interface contains a hard-coded username and password, which may allow an…
PriorityP352high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.44%
82.3th percentile
Prima Systems FlexAir, Versions 2.3.38 and prior. The flash version of the web interface contains a hard-coded username and password, which may allow an authenticated attacker to escalate privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| primasystems | flexair | <= 2.3.38 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Prima Systems FlexAir
cisa_ics·2019-07-30·CVSS 7.2
[HIGH] Prima Systems FlexAir
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Prima Systems FlexAir
Last RevisedJuly 30, 2019
Alert CodeICSA-19-211-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Prima Systems
- Equipment: FlexAir
- Vulnerabilities: OS Command Injection, Unrestricted Upload of File with Dangerous Type, Cross-site Request Forgery, Small Space of Random Values, Cross-site Scripting, Exposure of Backup file to Unauthorized Control Sphere, Improper Authentication, Use of Hard-coded Credentials
## 2. RISK EVALUATION
Exploitation of these vulnerabilities may allow an attacke
Red Hat
struts: A regular expression Denial of Service when using URLValidator
vendor_redhat·2017-09-05·CVSS 5.9
CVE-2017-9804 [MEDIUM] CWE-20 struts: A regular expression Denial of Service when using URLValidator
struts: A regular expression Denial of Service when using URLValidator
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-c
Red Hat
struts: Denial of service in built-in URLValidator
vendor_redhat·2017-08-11·CVSS 5.9
CVE-2017-7672 [MEDIUM] CWE-20 struts: Denial of service in built-in URLValidator
struts: Denial of service in built-in URLValidator
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of the Google
GHSA
GHSA-2fx6-86r8-c487: Prima Systems FlexAir devices have Hard-coded Credentials
ghsa_unreviewed·2022-05-24
CVE-2019-7672 [HIGH] CWE-798 GHSA-2fx6-86r8-c487: Prima Systems FlexAir devices have Hard-coded Credentials
Prima Systems FlexAir devices have Hard-coded Credentials.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-9804 struts: A regular expression Denial of Service when using URLValidator
bugzilla·2017-09-05·CVSS 5.9
CVE-2017-9804 [MEDIUM] CVE-2017-9804 struts: A regular expression Denial of Service when using URLValidator
CVE-2017-9804 struts: A regular expression Denial of Service when using URLValidator
The previous fix issued with S2-047 (CVE-2017-7672) was incomplete. If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
Affected versions:
Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12
External References:
https://struts.apache.org/docs/s2-050.html
Discussion:
Statement:
A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat
Bugzilla
CVE-2017-7672 struts: Denial of service in built-in URLValidator
bugzilla·2017-08-11·CVSS 5.9
CVE-2017-7672 [MEDIUM] CVE-2017-7672 struts: Denial of service in built-in URLValidator
CVE-2017-7672 struts: Denial of service in built-in URLValidator
A flaw was found in Apache Struts 2.5 through 2.5.10.1. If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
References:
http://struts.apache.org/docs/s2-047.html
https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E
Discussion:
Created struts tracking bugs for this issue:
Affects: epel-7 [bug 1480616]
Affects: fedora-all [bug 1480615]
---
0ps ... Sorry
---
Statement:
A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not includ
https://applied-risk.com/index.php/download_file/view/199/165https://applied-risk.com/labs/advisorieshttps://applied-risk.com/resources/ar-2019-007https://www.us-cert.gov/ics/advisories/icsa-19-211-02https://applied-risk.com/index.php/download_file/view/199/165https://applied-risk.com/labs/advisorieshttps://applied-risk.com/resources/ar-2019-007https://www.us-cert.gov/ics/advisories/icsa-19-211-02
2019-06-05
Published