SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-699384581] OSIsoft PI Web API

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2018-03-13OtherOSIsoftOSIsoft self-reported the vulnerabilities to NCCIC.N/ACVE-2018-7500 CVE-2018-7508 N/AN/AN/A

Source

						
							
								
#
# OSIsoft PI Web API
#


### VULNERABLE VENDOR
OSIsoft


### VULNERABLE PRODUCT
PI Web API 


### RESEARCHER
OSIsoft self-reported the vulnerabilities to NCCIC.


### AFFECTED PRODUCTS
OSIsoft reports that the vulnerabilities affect the following PI Web API products:

PI Web API versions 2017 R2 and prior
NOTE: Not all configurations of PI Web API listed above are affected. Please see the OSIsoft alerts referenced in the Mitigation section


### IMPACT
Successful exploitation of these vulnerabilities could allow escalated privileges and may allow remote code execution.


### VULNERABILITY OVERVIEW
PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264
Privileges may be escalated, giving attackers access to the PI System via the service account.
CVE-2018-7500 has been assigned to this vulnerability.
A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)


IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Cross-site scripting may occur when input is incorrectly neutralized.
CVE-2018-7508 has been assigned to this vulnerability.
A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)





### BACKGROUND
Critical Infrastructure Sectors: Multiple Sectors
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United States




### MITIGATION

OSIsoft recommends that users upgrade to PI Vision 2017 R2 Update 1 or PI AF Services 2017 R2 Update 1, which both address the PI Web API vulnerabilities. OBtain the updates from OSIsoft.

OSIsoft has released the following alerts:

https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00337


https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00336