Lucene search

[email protected]CVE-2020-25195

HistoryDec 15, 2020 - 8:15 p.m.

CVE-2020-25195

2020-12-1520:15:15

CWE-20

[email protected]

web.nvd.nist.gov

cve-2020-25195

host engineering

ecom100

input field

length verification

client side

configuration web server

security vulnerability

nvd

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.4%

JSON

The length of the input fields of Host Engineering H0-ECOM100, H2-ECOM100, and H4-ECOM100 modules are verified only on the client side when receiving input from the configuration web server, which may allow an attacker to bypass the check and send input to crash the device.

Affected configurations

NVD

Node

hostengh0-ecom100Match6

AND

hostengh0-ecom100_firmwareRange≤4.0.348

Node

hostengh0-ecom100_firmwareRange≤4.1.113

AND

hostengh0-ecom100Match7

Node

hostengh0-ecom100Match9

AND

hostengh0-ecom100_firmwareRange≤5.0.149

Node

hostengh2-ecom100Match5

AND

hostengh2-ecom100_firmwareRange≤4.0.2148

Node

hostengh2-ecom100Match8

AND

hostengh2-ecom100_firmwareRange≤5.0.1043

Node

hostengh4-ecom100Match-

AND

hostengh4-ecom100_firmwareRange≤4.0.2148

CPENameOperatorVersion
hosteng:h0-ecom100_firmwarehosteng h0-ecom100 firmwarele4.0.348

CPE	Name	Operator	Version
hosteng:h0-ecom100_firmware	hosteng h0-ecom100 firmware	le	4.0.348

CNA Affected

[
  {
    "product": "Host Engineering H0-ECOM100 Module",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Hardware Versions 6x and prior with Firmware Versions 4.0.348 and prior"
      },
      {
        "status": "affected",
        "version": "Hardware Version 7x with Firmware Versions 4.1.113 and prior"
      },
      {
        "status": "affected",
        "version": "Hardware Version 9x with Firmware Versions 5.0.149 and prior"
      }
    ]
  },
  {
    "product": "Host Engineering H2-ECOM100 Module",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Hardware Versions 5x and prior with Firmware Versions 4.0.2148 and prior"
      },
      {
        "status": "affected",
        "version": "Hardware Version 8x with Firmware Versions 5.0.1043 and prior"
      }
    ]
  },
  {
    "product": "Host Engineering H4-ECOM100 Module",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Firmware Versions 4.0.2148 and prior"
      }
    ]
  }
]

References

us-cert.cisa.gov/ics/advisories/icsa-20-345-02

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.4%

JSON

Related for CVE-2020-25195

ics1 prion1 cvelist1 nvd1