OSIsoft PI Vision

Vulnerability

PI Vision versions prior to 2021 contain an incorrect authorization vulnerability (CWE-863) in the handling of AF attributes that are children of another attribute and configured as a Limits property. This flaw allows users with insufficient privileges to view the attribute's data, bypassing intended access controls [1].

Exploitation

An attacker with low-privileged access (e.g., a user with insufficient permissions for the parent attribute) can remotely exploit this vulnerability by interacting with the PI Vision web interface. The attack complexity is high, requiring specific conditions where a child attribute is configured as a Limits property and the user lacks the necessary privileges for that attribute [1].

Impact

Successful exploitation results in unauthorized information disclosure of AF attribute data. The confidentiality impact is limited to the data exposed, with no modification or deletion capabilities. The scope is unchanged, and the attacker gains access to restricted information that should be protected by authorization controls [1].

Mitigation

OSIsoft recommends upgrading to PI Vision 2021, which contains the fix. Workarounds include configuring Publisher and Explorer roles in PI Vision User Access Levels to restrict access. No other mitigations are provided in the available references [1].