CVE-2018-17891 Information

Description

Carestream Vue RIS RIS Client Builds: Version 11.2 and prior running on a Windows 8.1 machine with IIS/7.5. When contacting a Carestream server where there is no Oracle TNS listener available users will trigger an HTTP 500 error leaking technical information an attacker could use to initiate a more elaborate attack.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-18-277-01

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

3.7