Lucene search

MitreCVE-2020-12069

HistoryDec 26, 2022 - 7:15 p.m.

CVE-2020-12069

2022-12-2619:15:10

CWE-916

mitre

web.nvd.nist.gov

cve-2020-12069

codesys v3

security vulnerability

weak hashing algorithm

local attacker

low privileges

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.002

Percentile

59.4%

JSON

In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.

Affected configurations

Nvd

Node

pilzpmcRange3.0.0–3.5.17

VendorProductVersionCPE
pilzpmc*cpe:2.3:a:pilz:pmc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pilz	pmc	*	cpe:2.3:a:pilz:pmc::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "CODESYS V3  containing the CmpUserMgr",
    "vendor": "CODESYS",
    "versions": [
      {
        "lessThan": "V3.5.16.0",
        "status": "affected",
        "version": "V3",
        "versionType": "custom"
      }
    ]
  }
]

References

cert.vde.com/en/advisories/VDE-2021-061/

cert.vde.com/en/advisories/VDE-2022-022/

cert.vde.com/en/advisories/VDE-2022-031/

customers.codesys.com/index.php?eID=dumpFile&t=f&f=12943&token=d097958a67ba382de688916f77e3013c0802fade&download=

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.002

Percentile

59.4%

JSON

Related for CVE-2020-12069