CVE-2018-10593 : A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorize

A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corruption.

Published 2018-05-24 16:29:00

Updated 2019-10-09 23:32:52

Source ICS-CERT

View at NVD, CVE.org

Vulnerability category: Sql Injection

Exploit prediction scoring system (EPSS) score for CVE-2018-10593

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 8 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-10593

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.8	LOW	AV:A/AC:M/Au:S/C:N/I:P/A:P	4.4	4.9	NIST
Access Vector: Adjacent Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
5.6	MEDIUM	CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H	0.4	5.2	NIST
Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2018-10593

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)
CWE-356 Product UI does not Warn User of Unsafe Actions

The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

Assigned by: ics-cert@hq.dhs.gov (Secondary)

References for CVE-2018-10593

https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-bd-kiestra-tla-bd-kiestra-wca-bd-inoqula

SQL Function Vulnerability for BD Kiestra TLA, BD Kiestra WCA, BD Kiestra InaquIA +
Vendor Advisory

CVEs referencing this url
https://ics-cert.us-cert.gov/advisories/ICSMA-18-142-01

BD Kiestra and InoquIA Systems (Update A) | CISA
Third Party Advisory;US Government Resource

CVEs referencing this url

Products affected by CVE-2018-10593

BD » Performa
Versions up to, including, (<=) 3.0.0.0
cpe:2.3:a:bd:performa:*:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Inoqula+ » Version: N/A
When used together with: BD » Kiestra Tla » Version: N/A
When used together with: BD » Kiestra Wca » Version: N/A
BD » Database Manager » Version: 3.0.1.0
cpe:2.3:a:bd:database_manager:3.0.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Inoqula+ » Version: N/A
When used together with: BD » Kiestra Tla » Version: N/A
When used together with: BD » Kiestra Wca » Version: N/A
BD » Reada
Versions up to, including, (<=) 1.1.0.2
cpe:2.3:a:bd:reada:*:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Inoqula+ » Version: N/A
When used together with: BD » Kiestra Tla » Version: N/A
When used together with: BD » Kiestra Wca » Version: N/A

Vulnerability Details : CVE-2018-10593

Exploit prediction scoring system (EPSS) score for CVE-2018-10593

CVSS scores for CVE-2018-10593

CWE ids for CVE-2018-10593

References for CVE-2018-10593

Products affected by CVE-2018-10593