Vulnerability Details : CVE-2019-13517
In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Server, with Windows Server Versions 4.4 through 4.12, a vulnerability has been identified where existing access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an AD domain.
Exploit prediction scoring system (EPSS) score for CVE-2019-13517
Probability of exploitation activity in the next 30 days: 0.10%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 42 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-13517
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-13517
-
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Assigned by:
- ics-cert@hq.dhs.gov (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2019-13517
-
https://www.us-cert.gov/ics/advisories/icsma-19-248-01
BD Pyxis (Update A) | CISAMitigation;Third Party Advisory;US Government Resource
Products affected by CVE-2019-13517
- cpe:2.3:a:bd:pyxis_enterprise_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:bd:pyxis_es:*:*:*:*:*:*:*:*