CVE-2019-7590

Published Jul 19, 2019

Last updated 5 years ago

Overview

Description: ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4.
Source: productsecurity@jci.com
NVD status: Modified

Risk scores

CVSS 3.0

Type: Primary
Base score: 7.8
Impact score: 5.9
Exploitability score: 1.8
Vector string: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 4.6
Impact score: 6.4
Exploitability score: 3.9
Vector string: AV:L/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-428
productsecurity@jci.com: CWE-428

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:johnsoncontrols:exacqvision_server:9.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B6F79193-B536-4D53-9EB7-38343B9125E0"
          },
          {
            "criteria": "cpe:2.3:a:johnsoncontrols:exacqvision_server:9.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "06B0C8B6-ECE0-44E9-9AA6-50D7491024AC"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References