Lucene search

EatonCVELIST:CVE-2020-6650

HistoryMar 23, 2020 - 1:25 p.m.

CVE-2020-6650 Arbitrary code execution through “Update Manager” Class

2020-03-2313:25:43

CWE-95

Eaton

www.cve.org

CVSS3

8.3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

44.3%

JSON

UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.

CNA Affected

[
  {
    "product": "UPS Companion Software",
    "vendor": "Eaton",
    "versions": [
      {
        "lessThanOrEqual": "1.05",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-UPS-companion-software.pdf

CVSS3

8.3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

44.3%

JSON

Related for CVELIST:CVE-2020-6650