CVE-2020-6651 Command injection via specially crafted file name during config file upload

2020-05-0400:00:00

CWE-20

Eaton

www.cve.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

0.05 Low

EPSS

Percentile

92.9%

JSON

Improper Input Validation in Eaton’s Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application.

CNA Affected

[
  {
    "product": "Intelligent Power manager (IPM)",
    "vendor": "Eaton",
    "versions": [
      {
        "lessThanOrEqual": "1.67",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf

www.zerodayinitiative.com/advisories/ZDI-20-649/