Lucene search

[email protected]CVE-2020-10275

HistoryJun 24, 2020 - 5:15 a.m.

CVE-2020-10275

2020-06-2405:15:13

CWE-326

CWE-261

[email protected]

web.nvd.nist.gov

cve-2020-10275

access tokens

default credentials

rest api

unauthorized access

data exfiltration

data infiltration

data deletion

nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.8%

JSON

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64(USERNAME:sha256(PASSWORD)). An unauthorized attacker inside the network can use the default credentials to compute the token and interact with the REST API to exfiltrate, infiltrate or delete data.

Affected configurations

NVD

Node

mobile-industrial-robotsmir100_firmwareRange≤2.8.1.1

AND

mobile-industrial-robotsmir100Match-

Node

mobile-industrial-robotsmir200_firmwareMatch-

AND

mobile-industrial-robotsmir200Match-

Node

mobile-industrial-robotsmir250_firmwareMatch-

AND

mobile-industrial-robotsmir250Match-

Node

mobile-industrial-robotsmir500_firmwareMatch-

AND

mobile-industrial-robotsmir500Match-

Node

mobile-industrial-robotsmir1000_firmwareMatch-

AND

mobile-industrial-robotsmir1000Match-

Node

easyroboticser200_firmwareMatch-

AND

easyroboticser200Match-

Node

easyroboticser-lite_firmwareMatch-

AND

easyroboticser-liteMatch-

Node

easyroboticser-flex_firmwareMatch-

AND

easyroboticser-flexMatch-

Node

easyroboticser-one_firmwareMatch-

AND

easyroboticser-oneMatch-

Node

uvd-robotsuvd_firmwareMatch-

AND

uvd-robotsuvdMatch-

CPENameOperatorVersion
mobile-industrial-robots:mir100_firmwaremobile-industrial-robots mir100 firmwarele2.8.1.1

CPE	Name	Operator	Version
mobile-industrial-robots:mir100_firmware	mobile-industrial-robots mir100 firmware	le	2.8.1.1

CNA Affected

[
  {
    "product": "MiR100",
    "vendor": "Mobile Industrial Robots A/S",
    "versions": [
      {
        "status": "affected",
        "version": "v2.8.1.1 and before"
      }
    ]
  }
]

References

github.com/aliasrobotics/RVD/issues/2565

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.8%

JSON

Related for CVE-2020-10275

nvd1 cvelist1 prion1