CVE-2014-5428

Опубликовано: 29 мар. 2015

Источник: nvd

CVSS2: 10

EPSS Низкий

Описание

Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to execute arbitrary code by uploading a shell script.

Комментарий

CWE-434: Unrestricted Upload of File with Dangerous Type

Ссылки

https://ics-cert.us-cert.gov/advisories/ICSA-14-350-02
Third Party Advisory
US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-14-350-02
Third Party Advisory
US Government Resource

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:a:johnsoncontrols:metsys:4.1:*:*:*:*:*:*:*

cpe:2.3:a:johnsoncontrols:metsys:6.5:*:*:*:*:*:*:*

Одно из

cpe:2.3:h:johnsoncontrols:application_and_data_server:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:extended_application_and_data_server:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:lonworks_control_server_lcs8520:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:network_automation_engine_5510-2:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:network_automation_engine_5510-2u:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:network_automation_engine_5511-2:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:network_automation_engine_5520-2:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:network_automation_engine_5521-2:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:network_integration_engine_5510-2:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:network_integration_engine_5511-2:-:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:nxe8500:-:*:*:*:*:*:*:*

EPSS

Процентиль: 85%

0.0265

Низкий

10 Critical

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

GHSA-3mp2-6574-pq2h

github

больше 3 лет назад