CVE-2019-18275

Vulnerability

The vulnerability is an improper access control (CWE-284) in OSIsoft PI Vision versions prior to 2019 [1]. When a user views analysis data reference attributes, the application fails to properly enforce access controls, potentially returning tag data that the user is not authorized to see.

Exploitation

An attacker with valid credentials and network access to PI Vision can exploit this vulnerability by accessing analysis data reference attributes. The attack complexity is low, and no user interaction is required beyond normal use. The attacker can retrieve unauthorized tag data by crafting specific requests to view analysis data reference attributes.

Impact

Successful exploitation results in unauthorized disclosure of tag data, which could include sensitive operational information. The confidentiality impact is high, while integrity and availability are not affected. The CVSS v3 base score is 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) [1].

Mitigation

OSIsoft has addressed this vulnerability in PI Vision 2019. Users should upgrade to PI Vision 2019 or later [1]. No workarounds are provided. Ensure that access controls are configured correctly and monitor for any unusual access patterns.