VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 4, 2018· Updated Sep 17, 2024

CVE-2018-17891

CVE-2018-17891

Description

Carestream Vue RIS, RIS Client Builds: Version 11.2 and prior running on a Windows 8.1 machine with IIS/7.5. When contacting a Carestream server where there is no Oracle TNS listener available, users will trigger an HTTP 500 error, leaking technical information an attacker could use to initiate a more elaborate attack.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Carestream Vue RIS Client Builds 11.2 and prior leak technical info via HTTP 500 error when Oracle TNS listener unavailable.

Vulnerability

Carestream Vue RIS client builds version 11.2 and prior, running on Windows 8.1 with IIS/7.5, expose technical information via an HTTP 500 error when an Oracle TNS listener is unavailable. This is an information exposure through an error message (CWE-209). [1]

Exploitation

An attacker with network access to the affected system can passively read traffic to capture the HTTP 500 error response, which contains technical details. No authentication is required, but the attack complexity is high (CVSS v3 vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). [1]

Impact

Successful exploitation results in low confidentiality impact, leaking technical information that an attacker could use to initiate more elaborate attacks. There is no impact on integrity or availability. [1]

Mitigation

Carestream has remediated the vulnerability in RIS client builds version 11.3 and forward by addressing the information leakage and enabling SSL. For RIS 11.2 on Windows 8.1 with IIS 7.2, workarounds include disabling "Show debug messages" and enabling SSL for client/server communications. Users should contact Carestream support for assistance. [1]

References
  1. Carestream Vue RIS | CISA

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Carestream/Vue RISllm-create
    Range: <=11.2
  • Carestream/Vue RISv5
    Range: RIS Client Builds: Version 11.2 and prior running on a Windows 8.1 machine with IIS/7.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.