CVE-2019-12532

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08.

El control de acceso inadecuado en las herramientas de software de Insyde puede permitir que un usuario autenticado permita potencialmente la escalada de privilegios o la divulgación de información a través del acceso local. Esta es una vulnerabilidad de software, no un problema de firmware. Las herramientas afectadas incluyen: H2OFFT versión 3.02 ~ 5.28, 100.00.00.00 ~ 100.00.08.23 y 200.00.00.01 ~ 200.00.00.05, H2OOAE antes de la versión 200.00.00.02, H2OSDE antes de la versión 200.00.00.07, H2OUVE antes de la versión 200.00.02.02, H2OPCM antes de la versión 100.00.06.00, H2OELV antes de la versión 100.00.02.08.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-06-02 CVE Reserved
2019-08-26 CVE Published
2024-08-04 CVE Updated
2024-08-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220223-0004	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.insyde.com/security-pledge/SA-2019001	2022-04-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Insyde Search vendor "Insyde"		H2oelv Search vendor "Insyde" for product "H2oelv"				< 100.00.02.08 Search vendor "Insyde" for product "H2oelv" and version " < 100.00.02.08"		-		Affected
Insyde Search vendor "Insyde"		H2offt Search vendor "Insyde" for product "H2offt"				>= 3.02 <= 5.28 Search vendor "Insyde" for product "H2offt" and version " >= 3.02 <= 5.28"		-		Affected
Insyde Search vendor "Insyde"		H2offt Search vendor "Insyde" for product "H2offt"				>= 100.00.00.00 <= 100.00.08.23 Search vendor "Insyde" for product "H2offt" and version " >= 100.00.00.00 <= 100.00.08.23"		-		Affected
Insyde Search vendor "Insyde"		H2offt Search vendor "Insyde" for product "H2offt"				>= 200.00.00.01 <= 200.00.00.05 Search vendor "Insyde" for product "H2offt" and version " >= 200.00.00.01 <= 200.00.00.05"		-		Affected
Insyde Search vendor "Insyde"		H2ooae Search vendor "Insyde" for product "H2ooae"				< 200.00.00.02 Search vendor "Insyde" for product "H2ooae" and version " < 200.00.00.02"		-		Affected
Insyde Search vendor "Insyde"		H2opcm Search vendor "Insyde" for product "H2opcm"				< 100.00.06.00 Search vendor "Insyde" for product "H2opcm" and version " < 100.00.06.00"		-		Affected
Insyde Search vendor "Insyde"		H2osde Search vendor "Insyde" for product "H2osde"				< 200.00.00.07 Search vendor "Insyde" for product "H2osde" and version " < 200.00.00.07"		-		Affected
Insyde Search vendor "Insyde"		H2ouve Search vendor "Insyde" for product "H2ouve"				< 200.00.02.02 Search vendor "Insyde" for product "H2ouve" and version " < 200.00.02.02"		-		Affected