{"api_version":"1","generated_at":"2026-06-13T19:30:43+00:00","cve":"CVE-2015-1013","urls":{"html":"https://cve.report/CVE-2015-1013","api":"https://cve.report/api/cve/CVE-2015-1013.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2015-1013","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2015-1013"},"summary":{"title":"CVE-2015-1013","description":"OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure that the PI SQL (AF) Trusted Users group lacks the Everyone account, which allows remote authenticated users to bypass intended command restrictions via SQL statements.","state":"PUBLISHED","assigner":"icscert","published_at":"2015-05-26 01:59:01","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-89","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.5","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01","name":"https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"],"title":"OSIsoft PI AF Incorrect Default Permissions Vulnerability | ICS-CERT","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280","name":"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"Security Bulletin Vulnerability in PI SQL (AF) Trusted Users group could allow bypassing of security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2015-1013","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-1013","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2015","cve_id":"1013","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"osisoft","cpe5":"pi_server","cpe6":"2.6","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"1013","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"osisoft","cpe5":"pi_sql_for_af","cpe6":"2.1.2.19","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T04:26:11.576Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2015-05-12T00:00:00.000Z","descriptions":[{"lang":"en","value":"OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure that the PI SQL (AF) Trusted Users group lacks the Everyone account, which allows remote authenticated users to bypass intended command restrictions via SQL statements."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2015-05-26T01:57:00.000Z","orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280"},{"tags":["x_refsource_MISC"],"url":"https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","ID":"CVE-2015-1013","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure that the PI SQL (AF) Trusted Users group lacks the Everyone account, which allows remote authenticated users to bypass intended command restrictions via SQL statements."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280","refsource":"CONFIRM","url":"https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00280"},{"name":"https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01","refsource":"MISC","url":"https://ics-cert.us-cert.gov/advisories/ICSA-15-132-01"}]}}}},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2015-1013","datePublished":"2015-05-26T01:00:00.000Z","dateReserved":"2015-01-10T00:00:00.000Z","dateUpdated":"2024-08-06T04:26:11.576Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2015-05-26 01:59:01","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-89","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:osisoft:pi_server:2.6:*:*:*:*:*:*:*","matchCriteriaId":"929EB927-9953-466A-80EC-9D849A620AE5"},{"vulnerable":true,"criteria":"cpe:2.3:a:osisoft:pi_sql_for_af:2.1.2.19:*:*:*:*:*:*:*","matchCriteriaId":"B5156711-794A-467D-AA76-9B4E6044C680"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2015","CveId":"1013","Ordinal":"1","Title":"CVE-2015-1013","CVE":"CVE-2015-1013","Year":"2015"},"notes":[{"CveYear":"2015","CveId":"1013","Ordinal":"1","NoteData":"OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure that the PI SQL (AF) Trusted Users group lacks the Everyone account, which allows remote authenticated users to bypass intended command restrictions via SQL statements.","Type":"Description","Title":"CVE-2015-1013"},{"CveYear":"2015","CveId":"1013","Ordinal":"2","NoteData":"2015-05-25","Type":"Other","Title":"Published"},{"CveYear":"2015","CveId":"1013","Ordinal":"3","NoteData":"2015-05-25","Type":"Other","Title":"Modified"}]}}}