Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:713312
HistoryMar 11, 2016 - 12:00 a.m.

DTE Energy Insight app vulnerable to information exposure

2016-03-1100:00:00
www.kb.cert.org
12

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

38.0%

JSON

Overview

The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers.

Description

CWE-200**: Information Exposure****-**CVE-2016-1562

The DTE Energy Insight app lets DTE Energy customers track their energy usage. This information is exposed via an HTTP REST API.

The API contains a parameter 'filter' that may be manipulated by an authenticated user. This parameter determines the customer data to be returned by the server. By manipulating the 'filter' parameter, an authorized user may be able to obtain and query limited customer information for other users.

The researcher has released a blog post with more details.

Impact

A remote, authenticated user may be able to obtain limited information about other customers.

Solution

DTE Energy has updated its Insight server backend to mitigate this issue. The researcher has confirmed that the APIs no longer allow access to other data.

Vendor Information

713312

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

DTE Energy __ Affected

Notified: February 03, 2016 Updated: March 01, 2016

Statement Date: February 26, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

DTE Energy has released version 1.7.8 to resolve the reported vulnerability. Ensure your device is updated to the latest version of this app.

CVSS Metrics

Group Score Vector
Base 4 AV:N/AC:L/Au:S/C:P/I:N/A:N
Temporal 3.1 E:POC/RL:OF/RC:C
Environmental 2.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Jeffrey Quesnelle for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-1562
Date Public: 2016-03-10 Date First Published:

Related

cvelist 1
prion 1
nvd 1
cve 1
cvelist
cvelist
CVE-2016-1562
2016-03-12 02:00:00
prion
prion
Design/Logic Flaw
2016-03-12 02:59:00
nvd
nvd
CVE-2016-1562
2016-03-12 02:59:05
cve
cve
CVE-2016-1562
2016-03-12 02:59:05

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

38.0%

JSON
Related for VU:713312
cvelist1prion1nvd1cve1