Vulnerability-Lookup

CVE-2017-9656 (GCVE-0-2017-9656)

Vulnerability from cvelistv5 – Published: 2018-04-24 15:00 – Updated: 2024-09-17 00:06

Summary

The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Severity ?

No CVSS data available.

CWE

CWE-798 - Use of hard-coded credentials CWE-798

Assigner

icscert

References

URL

Tags

	http://www.securityfocus.com/bid/100471	vdb-entryx_refsource_BID
	https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01	x_refsource_MISC
	http://www.philips.com/productsecurity	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Philips	DoseWise Portal	Affected: 1.1.7.333 Affected: 2.1.1.3069

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:18:01.463Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "100471",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100471"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.philips.com/productsecurity"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DoseWise Portal",
          "vendor": "Philips",
          "versions": [
            {
              "status": "affected",
              "version": "1.1.7.333"
            },
            {
              "status": "affected",
              "version": "2.1.1.3069"
            }
          ]
        }
      ],
      "datePublic": "2017-08-17T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "Use of hard-coded credentials CWE-798",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-04-25T09:57:01.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "name": "100471",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100471"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.philips.com/productsecurity"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2017-08-17T00:00:00",
          "ID": "CVE-2017-9656",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "DoseWise Portal",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.1.7.333"
                          },
                          {
                            "version_value": "2.1.1.3069"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Philips"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Use of hard-coded credentials CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "100471",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100471"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01"
            },
            {
              "name": "http://www.philips.com/productsecurity",
              "refsource": "CONFIRM",
              "url": "http://www.philips.com/productsecurity"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-9656",
    "datePublished": "2018-04-24T15:00:00.000Z",
    "dateReserved": "2017-06-14T00:00:00.000Z",
    "dateUpdated": "2024-09-17T00:06:52.060Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

FKIE_CVE-2017-9656

Vulnerability from fkie_nvd - Published: 2018-04-24 15:29 - Updated: 2024-11-21 03:36

Severity ?

9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://www.philips.com/productsecurity	Vendor Advisory
ics-cert@hq.dhs.gov	http://www.securityfocus.com/bid/100471	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.philips.com/productsecurity	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/100471	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	philips	dosewise	1.1.7.333
	philips	dosewise	2.1.1.3069

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:philips:dosewise:1.1.7.333:*:*:*:*:*:*:*",
              "matchCriteriaId": "80593A69-82A9-47D2-A64A-248018A0C59D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:philips:dosewise:2.1.1.3069:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE12F34E-51D6-4045-888A-5D702FE85B1F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H."
    },
    {
      "lang": "es",
      "value": "La base de datos del backend de la aplicaci\u00f3n Philips DoseWise Portal, en sus versiones 1.1.7.333 y 2.1.1.3069, emplea credenciales embebidas para una cuenta de la base de datos con privilegios que puede afectar a la confidencialidad, integridad y disponibilidad de la base de datos. Para que un atacante explote esta vulnerabilidad, primero necesita privilegios elevados para poder acceder a los archivos del sistema del backend de la aplicaci\u00f3n web que contienen las credenciales embebidas. Si se explota esta vulnerabilidad con \u00e9xito, un atacante remoto podr\u00eda obtener acceso a la base de datos de la aplicaci\u00f3n DWP, que contiene PHI. Puntuaci\u00f3n base de CVSS v3: 9.1, cadena de vector CVSS: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H."
    }
  ],
  "id": "CVE-2017-9656",
  "lastModified": "2024-11-21T03:36:35.710",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-04-24T15:29:00.867",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.philips.com/productsecurity"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100471"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.philips.com/productsecurity"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100471"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-4W62-G43G-55GJ

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36

Details

Severity ?

9.1 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-9656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-24T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.",
  "id": "GHSA-4w62-g43g-55gj",
  "modified": "2022-05-13T01:36:05Z",
  "published": "2022-05-13T01:36:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9656"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01"
    },
    {
      "type": "WEB",
      "url": "http://www.philips.com/productsecurity"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100471"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2017-22813

Vulnerability from cnvd - Published: 2017-08-25

Title

Philips' DoseWise Portal硬编码漏洞

Description

Philips' DoseWise Portal是一个基于网络的报告和辐射暴露的跟踪工具。 Philips' DoseWise Portal存在硬编码漏洞。攻击者利用此漏洞首先需要提高权限，以便攻击者访问包含硬编码凭据的Web应用程序后端系统文件。成功地利用可能允许远程攻击者获得访问的后端应用数据库，其中包含PHI。

Severity

高

Patch Name

Philips' DoseWise Portal硬编码漏洞的补丁

Patch Description

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01

Reference

https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01

Impacted products

Name
Philips DoseWise Portal >=1.1.7.333，<=2.1.1.3069

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-9656"
    }
  },
  "description": "Philips\u0027 DoseWise Portal\u662f\u4e00\u4e2a\u57fa\u4e8e\u7f51\u7edc\u7684\u62a5\u544a\u548c\u8f90\u5c04\u66b4\u9732\u7684\u8ddf\u8e2a\u5de5\u5177\u3002\r\n\r\nPhilips\u0027 DoseWise Portal\u5b58\u5728\u786c\u7f16\u7801\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u5229\u7528\u6b64\u6f0f\u6d1e\u9996\u5148\u9700\u8981\u63d0\u9ad8\u6743\u9650\uff0c\u4ee5\u4fbf\u653b\u51fb\u8005\u8bbf\u95ee\u5305\u542b\u786c\u7f16\u7801\u51ed\u636e\u7684Web\u5e94\u7528\u7a0b\u5e8f\u540e\u7aef\u7cfb\u7edf\u6587\u4ef6\u3002\u6210\u529f\u5730\u5229\u7528\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u83b7\u5f97\u8bbf\u95ee\u7684\u540e\u7aef\u5e94\u7528\u6570\u636e\u5e93\uff0c\u5176\u4e2d\u5305\u542bPHI\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-22813",
  "openTime": "2017-08-25",
  "patchDescription": "Philips\u0027 DoseWise Portal\u662f\u4e00\u4e2a\u57fa\u4e8e\u7f51\u7edc\u7684\u62a5\u544a\u548c\u8f90\u5c04\u66b4\u9732\u7684\u8ddf\u8e2a\u5de5\u5177\u3002\r\n\r\nPhilips\u0027 DoseWise Portal\u5b58\u5728\u786c\u7f16\u7801\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u5229\u7528\u6b64\u6f0f\u6d1e\u9996\u5148\u9700\u8981\u63d0\u9ad8\u6743\u9650\uff0c\u4ee5\u4fbf\u653b\u51fb\u8005\u8bbf\u95ee\u5305\u542b\u786c\u7f16\u7801\u51ed\u636e\u7684Web\u5e94\u7528\u7a0b\u5e8f\u540e\u7aef\u7cfb\u7edf\u6587\u4ef6\u3002\u6210\u529f\u5730\u5229\u7528\u53ef\u80fd\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u83b7\u5f97\u8bbf\u95ee\u7684\u540e\u7aef\u5e94\u7528\u6570\u636e\u5e93\uff0c\u5176\u4e2d\u5305\u542bPHI\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Philips\u0027 DoseWise Portal\u786c\u7f16\u7801\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Philips DoseWise Portal \u003e=1.1.7.333\uff0c\u003c=2.1.1.3069"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01",
  "serverity": "\u9ad8",
  "submitTime": "2017-08-21",
  "title": "Philips\u0027 DoseWise Portal\u786c\u7f16\u7801\u6f0f\u6d1e"
}

GSD-2017-9656

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-9656

Aliases

CVE-2017-9656

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-9656",
    "description": "The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.",
    "id": "GSD-2017-9656"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-9656"
      ],
      "details": "The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.",
      "id": "GSD-2017-9656",
      "modified": "2023-12-13T01:21:07.949784Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "DATE_PUBLIC": "2017-08-17T00:00:00",
        "ID": "CVE-2017-9656",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "DoseWise Portal",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "1.1.7.333"
                        },
                        {
                          "version_value": "2.1.1.3069"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Philips"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Use of hard-coded credentials CWE-798"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "100471",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/100471"
          },
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01"
          },
          {
            "name": "http://www.philips.com/productsecurity",
            "refsource": "CONFIRM",
            "url": "http://www.philips.com/productsecurity"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:philips:dosewise:2.1.1.3069:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:philips:dosewise:1.1.7.333:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-9656"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01"
            },
            {
              "name": "http://www.philips.com/productsecurity",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.philips.com/productsecurity"
            },
            {
              "name": "100471",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/100471"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 6.0
        }
      },
      "lastModifiedDate": "2019-10-09T23:30Z",
      "publishedDate": "2018-04-24T15:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-9656 (GCVE-0-2017-9656)

FKIE_CVE-2017-9656

GHSA-4W62-G43G-55GJ

CNVD-2017-22813

GSD-2017-9656

Tags

Sightings

Nomenclature