PT-2017-16347 · Osisoft · Osisoft Pi Web Api+1

Published

2017-02-13

Updated

2017-03-16

CVE-2017-5153

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OSIsoft PI Coresight versions 2016 R2 and earlier OSIsoft PI Web API versions 2016 R2 and earlier

Description An issue has been identified that may expose service account passwords through server log files, potentially leading to unauthorized shutdown of the affected services and reuse of domain credentials.

Recommendations For OSIsoft PI Coresight versions 2016 R2 and earlier, consider restricting access to server log files to minimize the risk of exposure. For OSIsoft PI Web API versions 2016 R2 and earlier, restrict access to server log files until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2017-5153

Affected Products

Osisoft Pi Coresight

Osisoft Pi Web Api

PT-2017-16347 · Osisoft · Osisoft Pi Web Api+1

CVE-2017-5153

Weakness Enumeration

Related Identifiers

Affected Products

References · 4