CVE-2015-1013

OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure that the PI SQL (AF) Trusted Users group lacks the Everyone account, which allows remote authenticated users to bypass intended command restrictions via SQL statements.

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01	Third Party Advisory US Government Resource
https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280	Vendor Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01	Third Party Advisory US Government Resource
https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:osisoft:pi_server:2.6:::::::*
	cpe:2.3:a:osisoft:pi_sql_for_af:2.1.2.19:::::::*

History

No history.

Information

Published : 2015-05-26 01:59

Updated : 2025-04-12 10:46

NVD link : CVE-2015-1013

Mitre link : CVE-2015-1013

CVE.ORG link : CVE-2015-1013

JSON object : View

Products Affected

osisoft

pi_sql_for_af
pi_server

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2015-1013", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-05-26T01:59:01.743", "references": [{"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280", "tags": ["Vendor Advisory"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure that the PI SQL (AF) Trusted Users group lacks the Everyone account, which allows remote authenticated users to bypass intended command restrictions via SQL statements."}, {"lang": "es", "value": "OSIsoft PI AF 2.6 y 2.7 y PI SQL para AF 2.1.2.19 no aseguran que al grupo de usuarios de confianza PI SQL (AF) le falta la cuenta Everyone, lo que permite a usuarios remotos autenticados evadir las restricciones de comandos a trav\u00e9s de declaraciones SQL."}], "lastModified": "2025-04-12T10:46:40.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:osisoft:pi_server:2.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "929EB927-9953-466A-80EC-9D849A620AE5"}, {"criteria": "cpe:2.3:a:osisoft:pi_sql_for_af:2.1.2.19:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5156711-794A-467D-AA76-9B4E6044C680"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}