CWE-288
Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CVE-2019-9510 (GCVE-0-2019-9510)
Vulnerability from cvelistv5 – Published: 2020-01-15 17:05 – Updated: 2024-09-17 04:00
VLAI
Title
Microsoft Windows RDP can bypass the Windows lock screen
Summary
A vulnerability in Microsoft Windows 10 1803 and Windows Server 2019 and later systems can allow authenticated RDP-connected clients to gain access to user sessions without needing to interact with the Windows lock screen. Should a network anomaly trigger a temporary RDP disconnect, Automatic Reconnection of the RDP session will be restored to an unlocked state, regardless of how the remote system was left. By interrupting network connectivity of a system, an attacker with access to a system being used as a Windows RDP client can gain access to a connected remote system, regardless of whether or not the remote system was locked. This issue affects Microsoft Windows 10, version 1803 and later, and Microsoft Windows Server 2019, version 2019 and later.
Severity
5.3 (Medium)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.kb.cert.org/vuls/id/576688/ | third-party-advisoryx_refsource_CERT-VN |
| https://docs.microsoft.com/en-us/previous-version… | x_refsource_MISC |
| https://docs.microsoft.com/en-us/openspecs/window… | x_refsource_MISC |
| https://social.technet.microsoft.com/Forums/windo… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Windows 10 or newer system using RDP |
Affected:
1803 , < 10 *
(custom)
|
|
| Microsoft | Windows Server |
Affected:
2019 , < 2019*
(custom)
|
Date Public
2019-06-04 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:54:44.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#576688",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/576688/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713%28v=ws.11%29"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e729948a-3f4e-4568-9aef-d355e30b5389"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://social.technet.microsoft.com/Forums/windowsserver/en-US/1fd171de-a1b5-4721-86bf-082e4a375049/rds-2019-but-probably-other-versions-as-well-locked-rdp-session-logs-in-after-session-reconnect"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Windows 10 or newer system using RDP",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "10 *",
"status": "affected",
"version": "1803",
"versionType": "custom"
}
]
},
{
"product": "Windows Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2019*",
"status": "affected",
"version": "2019",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Joe Tammariello of the SEI for reporting this vulnerability."
}
],
"datePublic": "2019-06-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Microsoft Windows 10 1803 and Windows Server 2019 and later systems can allow authenticated RDP-connected clients to gain access to user sessions without needing to interact with the Windows lock screen. Should a network anomaly trigger a temporary RDP disconnect, Automatic Reconnection of the RDP session will be restored to an unlocked state, regardless of how the remote system was left. By interrupting network connectivity of a system, an attacker with access to a system being used as a Windows RDP client can gain access to a connected remote system, regardless of whether or not the remote system was locked. This issue affects Microsoft Windows 10, version 1803 and later, and Microsoft Windows Server 2019, version 2019 and later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T17:05:27.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VU#576688",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/576688/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713%28v=ws.11%29"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e729948a-3f4e-4568-9aef-d355e30b5389"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://social.technet.microsoft.com/Forums/windowsserver/en-US/1fd171de-a1b5-4721-86bf-082e4a375049/rds-2019-but-probably-other-versions-as-well-locked-rdp-session-logs-in-after-session-reconnect"
}
],
"source": {
"advisory": "VU#576688",
"discovery": "UNKNOWN"
},
"title": "Microsoft Windows RDP can bypass the Windows lock screen",
"workarounds": [
{
"lang": "en",
"value": "Disable RDP automatic reconnection on RDP servers. Disconnect RDP sessions instead of locking them."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2019-06-04T00:00:00.000Z",
"ID": "CVE-2019-9510",
"STATE": "PUBLIC",
"TITLE": "Microsoft Windows RDP can bypass the Windows lock screen"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Windows 10 or newer system using RDP",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "10",
"version_value": "1803"
}
]
}
},
{
"product_name": "Windows Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "2019",
"version_value": "2019"
}
]
}
}
]
},
"vendor_name": "Microsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Joe Tammariello of the SEI for reporting this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in Microsoft Windows 10 1803 and Windows Server 2019 and later systems can allow authenticated RDP-connected clients to gain access to user sessions without needing to interact with the Windows lock screen. Should a network anomaly trigger a temporary RDP disconnect, Automatic Reconnection of the RDP session will be restored to an unlocked state, regardless of how the remote system was left. By interrupting network connectivity of a system, an attacker with access to a system being used as a Windows RDP client can gain access to a connected remote system, regardless of whether or not the remote system was locked. This issue affects Microsoft Windows 10, version 1803 and later, and Microsoft Windows Server 2019, version 2019 and later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#576688",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/576688/"
},
{
"name": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)",
"refsource": "MISC",
"url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)"
},
{
"name": "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e729948a-3f4e-4568-9aef-d355e30b5389",
"refsource": "MISC",
"url": "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e729948a-3f4e-4568-9aef-d355e30b5389"
},
{
"name": "https://social.technet.microsoft.com/Forums/windowsserver/en-US/1fd171de-a1b5-4721-86bf-082e4a375049/rds-2019-but-probably-other-versions-as-well-locked-rdp-session-logs-in-after-session-reconnect",
"refsource": "MISC",
"url": "https://social.technet.microsoft.com/Forums/windowsserver/en-US/1fd171de-a1b5-4721-86bf-082e4a375049/rds-2019-but-probably-other-versions-as-well-locked-rdp-session-logs-in-after-session-reconnect"
}
]
},
"source": {
"advisory": "VU#576688",
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Disable RDP automatic reconnection on RDP servers. Disconnect RDP sessions instead of locking them."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2019-9510",
"datePublished": "2020-01-15T17:05:27.546Z",
"dateReserved": "2019-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:00:12.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10048 (GCVE-0-2020-10048)
Vulnerability from cvelistv5 – Published: 2021-02-09 15:38 – Updated: 2024-08-04 10:50
VLAI
Summary
A vulnerability has been identified in SIMATIC PCS 7 (All versions), SIMATIC WinCC (All versions < V7.5 SP2). Due to an insecure password verification process, an attacker could bypass the password protection set on protected files, thus being granted access to the protected content, circumventing authentication.
Severity
No CVSS data available.
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | SIMATIC PCS 7 |
Affected:
All versions
|
|
| Siemens | SIMATIC WinCC |
Affected:
All versions < V7.5 SP2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:50:57.903Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-944678.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SIMATIC PCS 7",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "SIMATIC WinCC",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V7.5 SP2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SIMATIC PCS 7 (All versions), SIMATIC WinCC (All versions \u003c V7.5 SP2). Due to an insecure password verification process, an attacker could bypass the password protection set on protected files, thus being granted access to the protected content, circumventing authentication."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-09T15:38:17.000Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-944678.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2020-10048",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SIMATIC PCS 7",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "SIMATIC WinCC",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V7.5 SP2"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in SIMATIC PCS 7 (All versions), SIMATIC WinCC (All versions \u003c V7.5 SP2). Due to an insecure password verification process, an attacker could bypass the password protection set on protected files, thus being granted access to the protected content, circumventing authentication."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-944678.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-944678.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2020-10048",
"datePublished": "2021-02-09T15:38:17.000Z",
"dateReserved": "2020-03-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:50:57.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10148 (GCVE-0-2020-10148)
Vulnerability from cvelistv5 – Published: 2020-12-29 21:55 – Updated: 2025-10-21 23:35
VLAI
Title
SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands
Summary
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Severity
9.8 (Critical)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.solarwinds.com/securityadvisory | x_refsource_CONFIRM |
| https://kb.cert.org/vuls/id/843464 | third-party-advisoryx_refsource_CERT-VN |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SolarWinds | Orion Platform |
Affected:
2019.4 HF 5
Affected: 2020.2 without hotfix Affected: 2020.2 HF 1 |
Date Public
2020-12-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:50:57.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/843464"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.solarwinds.com/securityadvisory"
},
{
"name": "VU#843464",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/843464"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:solarwinds:orion_platform:2019.4:hotfix5:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "orion_platform",
"vendor": "solarwinds",
"versions": [
{
"status": "affected",
"version": "2019.4"
}
]
},
{
"cpes": [
"cpe:2.3:a:solarwinds:orion_platform:2020.2.1:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "orion_platform",
"vendor": "solarwinds",
"versions": [
{
"status": "affected",
"version": "2020.2.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:solarwinds:orion_platform:2020.2:hotfix1:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "orion_platform",
"vendor": "solarwinds",
"versions": [
{
"status": "affected",
"version": "2020.2"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-10148",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T19:31:04.550116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2021-11-03",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:30.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148"
}
],
"timeline": [
{
"lang": "en",
"time": "2021-11-03T00:00:00.000Z",
"value": "CVE-2020-10148 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Orion Platform",
"vendor": "SolarWinds",
"versions": [
{
"status": "affected",
"version": "2019.4 HF 5"
},
{
"status": "affected",
"version": "2020.2 without hotfix"
},
{
"status": "affected",
"version": "2020.2 HF 1"
}
]
}
],
"datePublic": "2020-12-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-29T21:55:16.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.solarwinds.com/securityadvisory"
},
{
"name": "VU#843464",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://kb.cert.org/vuls/id/843464"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update to the relevant versions of the SolarWinds Orion Platform:\n\n2019.4 HF 6 (released December 14, 2020)\n2020.2.1 HF 2 (released December 15, 2020)\n2019.2 SUPERNOVA Patch (released December 23, 2020)\n2018.4 SUPERNOVA Patch (released December 23, 2020)\n2018.2 SUPERNOVA Patch (released December 23, 2020)"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "SUNBURST",
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2020-12-13T00:00:00.000Z",
"ID": "CVE-2020-10148",
"STATE": "PUBLIC",
"TITLE": "SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Orion Platform",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2019.4 HF 5",
"version_value": "2019.4 HF 5"
},
{
"version_affected": "=",
"version_name": "2020.2 without hotfix",
"version_value": "2020.2 without hotfix"
},
{
"version_affected": "=",
"version_name": "2020.2 HF 1",
"version_value": "2020.2 HF 1"
}
]
}
}
]
},
"vendor_name": "SolarWinds"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.solarwinds.com/securityadvisory",
"refsource": "CONFIRM",
"url": "https://www.solarwinds.com/securityadvisory"
},
{
"name": "VU#843464",
"refsource": "CERT-VN",
"url": "https://kb.cert.org/vuls/id/843464"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update to the relevant versions of the SolarWinds Orion Platform:\n\n2019.4 HF 6 (released December 14, 2020)\n2020.2.1 HF 2 (released December 15, 2020)\n2019.2 SUPERNOVA Patch (released December 23, 2020)\n2018.4 SUPERNOVA Patch (released December 23, 2020)\n2018.2 SUPERNOVA Patch (released December 23, 2020)"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2020-10148",
"datePublished": "2020-12-29T21:55:16.195Z",
"dateReserved": "2020-03-05T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:30.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10283 (GCVE-0-2020-10283)
Vulnerability from cvelistv5 – Published: 2020-08-20 08:15 – Updated: 2024-09-16 17:08
VLAI
Title
RVD#3317: MAVLink version handshaking allows for an attacker to bypass authentication
Summary
The Micro Air Vehicle Link (MAVLink) protocol presents authentication mechanisms on its version 2.0 however according to its documentation, in order to maintain backwards compatibility, GCS and autopilot negotiate the version via the AUTOPILOT_VERSION message. Since this negotiation depends on the answer, an attacker may craft packages in a way that hints the autopilot to adopt version 1.0 of MAVLink for the communication. Given the lack of authentication capabilities in such version of MAVLink (refer to CVE-2020-10282), attackers may use this method to bypass authentication capabilities and interact with the autopilot directly.
Severity
8.1 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/aliasrobotics/RVD/issues/3316 | x_refsource_CONFIRM |
Date Public
2020-08-20 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:58:40.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/aliasrobotics/RVD/issues/3316"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAVLink",
"vendor": "PX4",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Victor Mayoral Vilches (Alias Robotics)"
}
],
"datePublic": "2020-08-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Micro Air Vehicle Link (MAVLink) protocol presents authentication mechanisms on its version 2.0 however according to its documentation, in order to maintain backwards compatibility, GCS and autopilot negotiate the version via the AUTOPILOT_VERSION message. Since this negotiation depends on the answer, an attacker may craft packages in a way that hints the autopilot to adopt version 1.0 of MAVLink for the communication. Given the lack of authentication capabilities in such version of MAVLink (refer to CVE-2020-10282), attackers may use this method to bypass authentication capabilities and interact with the autopilot directly."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-20T08:15:12.000Z",
"orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
"shortName": "Alias"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aliasrobotics/RVD/issues/3316"
}
],
"source": {
"defect": [
"RVD#3317"
],
"discovery": "EXTERNAL"
},
"title": "RVD#3317: MAVLink version handshaking allows for an attacker to bypass authentication",
"x_generator": {
"engine": "Robot Vulnerability Database (RVD)"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@aliasrobotics.com",
"DATE_PUBLIC": "2020-08-20T08:07:15 +00:00",
"ID": "CVE-2020-10283",
"STATE": "PUBLIC",
"TITLE": "RVD#3317: MAVLink version handshaking allows for an attacker to bypass authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAVLink",
"version": {
"version_data": [
{
"version_value": "2.0"
}
]
}
}
]
},
"vendor_name": "PX4"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Victor Mayoral Vilches (Alias Robotics)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Micro Air Vehicle Link (MAVLink) protocol presents authentication mechanisms on its version 2.0 however according to its documentation, in order to maintain backwards compatibility, GCS and autopilot negotiate the version via the AUTOPILOT_VERSION message. Since this negotiation depends on the answer, an attacker may craft packages in a way that hints the autopilot to adopt version 1.0 of MAVLink for the communication. Given the lack of authentication capabilities in such version of MAVLink (refer to CVE-2020-10282), attackers may use this method to bypass authentication capabilities and interact with the autopilot directly."
}
]
},
"generator": {
"engine": "Robot Vulnerability Database (RVD)"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "high",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/aliasrobotics/RVD/issues/3316",
"refsource": "CONFIRM",
"url": "https://github.com/aliasrobotics/RVD/issues/3316"
}
]
},
"source": {
"defect": [
"RVD#3317"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
"assignerShortName": "Alias",
"cveId": "CVE-2020-10283",
"datePublished": "2020-08-20T08:15:13.054Z",
"dateReserved": "2020-03-10T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:08:41.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11005 (GCVE-0-2020-11005)
Vulnerability from cvelistv5 – Published: 2020-04-14 22:30 – Updated: 2024-08-04 11:21
VLAI
Title
Internal NCryptDecrypt method could be used externally from WindowsHello library.
Summary
The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4.
Severity
5.1 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/SeppPenner/WindowsHello/securi… | x_refsource_CONFIRM |
| https://github.com/SeppPenner/WindowsHello/issues/3 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SeppPenner | WindowsHello |
Affected:
< 1.0.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:13.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/SeppPenner/WindowsHello/issues/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WindowsHello",
"vendor": "SeppPenner",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-14T22:30:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SeppPenner/WindowsHello/issues/3"
}
],
"source": {
"advisory": "GHSA-wvpv-ffcv-r6cw",
"discovery": "UNKNOWN"
},
"title": "Internal NCryptDecrypt method could be used externally from WindowsHello library.",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11005",
"STATE": "PUBLIC",
"TITLE": "Internal NCryptDecrypt method could be used externally from WindowsHello library."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WindowsHello",
"version": {
"version_data": [
{
"version_value": "\u003c 1.0.4"
}
]
}
}
]
},
"vendor_name": "SeppPenner"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WindowsHello open source library (NuGet HaemmerElectronics.SeppPenner.WindowsHello), before version 1.0.4, has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again. This has been patched in version 1.0.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw",
"refsource": "CONFIRM",
"url": "https://github.com/SeppPenner/WindowsHello/security/advisories/GHSA-wvpv-ffcv-r6cw"
},
{
"name": "https://github.com/SeppPenner/WindowsHello/issues/3",
"refsource": "MISC",
"url": "https://github.com/SeppPenner/WindowsHello/issues/3"
}
]
},
"source": {
"advisory": "GHSA-wvpv-ffcv-r6cw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11005",
"datePublished": "2020-04-14T22:30:14.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:21:13.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13185 (GCVE-0-2020-13185)
Vulnerability from cvelistv5 – Published: 2021-02-11 15:10 – Updated: 2024-08-04 12:11
VLAI
Summary
Certain web application pages in the authenticated section of the Teradici Cloud Access Connector prior to v18 were accessible without the need to specify authentication tokens, which allowed an attacker in the ability to execute sensitive functions without credentials.
Severity
No CVSS data available.
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://advisory.teradici.com/security-advisories/69/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | - Cloud Access Connector - Cloud Access Connector Legacy |
Affected:
v18 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:19.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.teradici.com/security-advisories/69/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "- Cloud Access Connector - Cloud Access Connector Legacy",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "v18 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Certain web application pages in the authenticated section of the Teradici Cloud Access Connector prior to v18 were accessible without the need to specify authentication tokens, which allowed an attacker in the ability to execute sensitive functions without credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-11T15:10:16.000Z",
"orgId": "ba3c294d-a544-4fff-ad44-2de7c7bbb6be",
"shortName": "Teradici"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.teradici.com/security-advisories/69/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@teradici.com",
"ID": "CVE-2020-13185",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "- Cloud Access Connector - Cloud Access Connector Legacy",
"version": {
"version_data": [
{
"version_value": "v18 and earlier"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Certain web application pages in the authenticated section of the Teradici Cloud Access Connector prior to v18 were accessible without the need to specify authentication tokens, which allowed an attacker in the ability to execute sensitive functions without credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisory.teradici.com/security-advisories/69/",
"refsource": "MISC",
"url": "https://advisory.teradici.com/security-advisories/69/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ba3c294d-a544-4fff-ad44-2de7c7bbb6be",
"assignerShortName": "Teradici",
"cveId": "CVE-2020-13185",
"datePublished": "2021-02-11T15:10:16.000Z",
"dateReserved": "2020-05-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:11:19.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14477 (GCVE-0-2020-14477)
Vulnerability from cvelistv5 – Published: 2020-06-26 16:15 – Updated: 2025-06-04 21:56
VLAI
Title
Philips Ultrasound Systems Authentication Bypass Using an Alternate Path or Channel
Summary
In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information.
Severity
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.us-cert.gov/ics/advisories/icsma-20-177-01 | x_refsource_MISC |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Philips | Ultrasound ClearVue |
Affected:
0 , < versions 3.2
(custom)
|
|
| Philips | Ultrasound CX |
Affected:
0 , < versions 5.0.2
(custom)
|
|
| Philips | Ultrasound EPIQ/Affiniti |
Affected:
0 , < versions VM5.0
(custom)
|
|
| Philips | Ultrasound Sparq |
Affected:
0 , < version 3.0.2
(custom)
|
|
| Philips | Ultrasound Xperius |
Affected:
all versions
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-177-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ultrasound ClearVue",
"vendor": "Philips",
"versions": [
{
"lessThan": "versions 3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Ultrasound CX",
"vendor": "Philips",
"versions": [
{
"lessThan": "versions 5.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Ultrasound EPIQ/Affiniti",
"vendor": "Philips",
"versions": [
{
"lessThan": "versions VM5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Ultrasound Sparq",
"vendor": "Philips",
"versions": [
{
"lessThan": "version 3.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Ultrasound Xperius",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Philips reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information.\u003c/p\u003e"
}
],
"value": "In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T21:56:59.294Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-177-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePhilips released Ultrasound EPIQ/Affiniti Version VM6.0 in April 2020\n and recommends users with the Ultrasound EPIQ/Affiniti systems to \ncontact their local Philips service support team, or regional service \nsupport for installation information.\u003c/p\u003e\n\u003cp\u003ePhilips is currently planning the following new releases:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUltrasound ClearVue Version 3.3 release in Q4 2020\u003c/li\u003e\n\u003cli\u003eUltrasound CX Version 5.0.3 release in Q4 2020\u003c/li\u003e\n\u003cli\u003eUltrasound Sparq Version 3.0.3 release in Q4 2020\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAs an interim mitigation to this vulnerability, Philips recommends \ncustomers ensure service providers can guarantee installed device \nintegrity during all service and repair operations.\u003c/p\u003e\n\u003cp\u003eUsers with questions regarding their specific Ultrasound installation\n should contact the Philips service support team or regional service \nsupport.\u003c/p\u003e\u003cp\u003eUsers can contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.usa.philips.com/healthcare/solutions/customer-service-solutions\"\u003ePhilips customer service\u003c/a\u003e, and find more details in the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.philips.com/productsecurity\"\u003ePhilips advisory \u003c/a\u003e(external link). Please see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.philips.com/productsecurity\"\u003ePhilips product security website\u003c/a\u003e for the latest security information for Philips products.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Philips released Ultrasound EPIQ/Affiniti Version VM6.0 in April 2020\n and recommends users with the Ultrasound EPIQ/Affiniti systems to \ncontact their local Philips service support team, or regional service \nsupport for installation information.\n\n\nPhilips is currently planning the following new releases:\n\n\n\n * Ultrasound ClearVue Version 3.3 release in Q4 2020\n\n * Ultrasound CX Version 5.0.3 release in Q4 2020\n\n * Ultrasound Sparq Version 3.0.3 release in Q4 2020\n\n\n\n\nAs an interim mitigation to this vulnerability, Philips recommends \ncustomers ensure service providers can guarantee installed device \nintegrity during all service and repair operations.\n\n\nUsers with questions regarding their specific Ultrasound installation\n should contact the Philips service support team or regional service \nsupport.\n\nUsers can contact Philips customer service https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , and find more details in the Philips advisory http://www.philips.com/productsecurity (external link). Please see the Philips product security website http://www.philips.com/productsecurity for the latest security information for Philips products."
}
],
"source": {
"advisory": "ICSMA-20-177-01",
"discovery": "INTERNAL"
},
"title": "Philips Ultrasound Systems Authentication Bypass Using an Alternate Path or Channel",
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-14477",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Philips Ultrasound ClearVue",
"version": {
"version_data": [
{
"version_value": "versions 3.2 and prior"
}
]
}
},
{
"product_name": "Ultrasound CX",
"version": {
"version_data": [
{
"version_value": "versions 5.0.2 and prior"
}
]
}
},
{
"product_name": "Ultrasound EPIQ/Affiniti",
"version": {
"version_data": [
{
"version_value": "versions VM5.0 and prior"
}
]
}
},
{
"product_name": "Ultrasound Sparq",
"version": {
"version_data": [
{
"version_value": "version 3.0.2 and prior"
}
]
}
},
{
"product_name": "Ultrasound Xperius",
"version": {
"version_data": [
{
"version_value": "all versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsma-20-177-01",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-177-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-14477",
"datePublished": "2020-06-26T16:15:14.000Z",
"dateReserved": "2020-06-19T00:00:00.000Z",
"dateUpdated": "2025-06-04T21:56:59.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14485 (GCVE-0-2020-14485)
Vulnerability from cvelistv5 – Published: 2020-07-20 14:45 – Updated: 2024-08-04 12:46
VLAI
Summary
OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries.
Severity
No CVSS data available.
CWE
- CWE-288 - AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsma-20-184-01 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | OpenClinic GA |
Affected:
Versions 5.09.02 and 5.89.05b
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-184-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenClinic GA",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions 5.09.02 and 5.89.05b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-20T14:45:10.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-184-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-14485",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenClinic GA",
"version": {
"version_data": [
{
"version_value": "Versions 5.09.02 and 5.89.05b"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-184-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-184-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-14485",
"datePublished": "2020-07-20T14:45:10.000Z",
"dateReserved": "2020-06-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:46:34.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15633 (GCVE-0-2020-15633)
Vulnerability from cvelistv5 – Published: 2020-07-23 20:45 – Updated: 2024-08-04 13:22
VLAI
Summary
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.20B10_BETA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP requests. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. Was ZDI-CAN-10835.
Severity
8.8 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://supportannouncement.us.dlink.com/announce… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| D-Link | Multiple Routers |
Affected:
1.20B10_BETA
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-881/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10186"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Multiple Routers",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "1.20B10_BETA"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "chung96vn of Vietnam Cyber Security Center"
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.20B10_BETA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP requests. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. Was ZDI-CAN-10835."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-23T20:45:18.000Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-881/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10186"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "zdi-disclosures@trendmicro.com",
"ID": "CVE-2020-15633",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Multiple Routers",
"version": {
"version_data": [
{
"version_value": "1.20B10_BETA"
}
]
}
}
]
},
"vendor_name": "D-Link"
}
]
}
},
"credit": "chung96vn of Vietnam Cyber Security Center",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.20B10_BETA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP requests. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. Was ZDI-CAN-10835."
}
]
},
"impact": {
"cvss": {
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-881/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-881/"
},
{
"name": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10186",
"refsource": "MISC",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10186"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2020-15633",
"datePublished": "2020-07-23T20:45:18.000Z",
"dateReserved": "2020-07-07T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:22:30.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1618 (GCVE-0-2020-1618)
Vulnerability from cvelistv5 – Published: 2020-04-08 19:25 – Updated: 2024-09-17 01:56
VLAI
Title
Junos OS: EX and QFX Series: Console port authentication bypass vulnerability
Summary
On Juniper Networks EX and QFX Series, an authentication bypass vulnerability may allow a user connected to the console port to login as root without any password. This issue might only occur in certain scenarios: • At the first reboot after performing device factory reset using the command “request system zeroize”; or • A temporary moment during the first reboot after the software upgrade when the device configured in Virtual Chassis mode. This issue affects Juniper Networks Junos OS on EX and QFX Series: 14.1X53 versions prior to 14.1X53-D53; 15.1 versions prior to 15.1R7-S4; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S4; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R3-S3; 17.3 versions prior to 17.3R2-S5, 17.3R3-S6; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R2; 18.3 versions prior to 18.3R1-S7, 18.3R2. This issue does not affect Juniper Networks Junos OS 12.3.
Severity
6.3 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.juniper.net/JSA11001 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Unaffected:
12.3
Affected: 14.1X53 , < 14.1X53-D53 (custom) Affected: 15.1 , < 15.1R7-S4 (custom) Affected: 15.1X53 , < 15.1X53-D593 (custom) Affected: 16.1 , < 16.1R7-S4 (custom) Affected: 17.1 , < 17.1R2-S11, 17.1R3-S1 (custom) Affected: 17.2 , < 17.2R3-S3 (custom) Affected: 17.3 , < 17.3R2-S5, 17.3R3-S6 (custom) Affected: 17.4 , < 17.4R2-S9, 17.4R3 (custom) Affected: 18.1 , < 18.1R3-S8 (custom) Affected: 18.2 , < 18.2R2 (custom) Affected: 18.3 , < 18.3R1-S7, 18.3R2 (custom) |
Date Public
2020-04-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:46:30.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.juniper.net/JSA11001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"EX and QFX Series"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"status": "unaffected",
"version": "12.3"
},
{
"lessThan": "14.1X53-D53",
"status": "affected",
"version": "14.1X53",
"versionType": "custom"
},
{
"lessThan": "15.1R7-S4",
"status": "affected",
"version": "15.1",
"versionType": "custom"
},
{
"lessThan": "15.1X53-D593",
"status": "affected",
"version": "15.1X53",
"versionType": "custom"
},
{
"lessThan": "16.1R7-S4",
"status": "affected",
"version": "16.1",
"versionType": "custom"
},
{
"lessThan": "17.1R2-S11, 17.1R3-S1",
"status": "affected",
"version": "17.1",
"versionType": "custom"
},
{
"lessThan": "17.2R3-S3",
"status": "affected",
"version": "17.2",
"versionType": "custom"
},
{
"lessThan": "17.3R2-S5, 17.3R3-S6",
"status": "affected",
"version": "17.3",
"versionType": "custom"
},
{
"lessThan": "17.4R2-S9, 17.4R3",
"status": "affected",
"version": "17.4",
"versionType": "custom"
},
{
"lessThan": "18.1R3-S8",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThan": "18.2R2",
"status": "affected",
"version": "18.2",
"versionType": "custom"
},
{
"lessThan": "18.3R1-S7, 18.3R2",
"status": "affected",
"version": "18.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-04-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "On Juniper Networks EX and QFX Series, an authentication bypass vulnerability may allow a user connected to the console port to login as root without any password. This issue might only occur in certain scenarios: \u2022 At the first reboot after performing device factory reset using the command \u201crequest system zeroize\u201d; or \u2022 A temporary moment during the first reboot after the software upgrade when the device configured in Virtual Chassis mode. This issue affects Juniper Networks Junos OS on EX and QFX Series: 14.1X53 versions prior to 14.1X53-D53; 15.1 versions prior to 15.1R7-S4; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S4; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R3-S3; 17.3 versions prior to 17.3R2-S5, 17.3R3-S6; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R2; 18.3 versions prior to 18.3R1-S7, 18.3R2. This issue does not affect Juniper Networks Junos OS 12.3."
}
],
"exploits": [
{
"lang": "en",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-08T19:25:54.000Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.juniper.net/JSA11001"
}
],
"solutions": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: 14.1X53-D53, 15.1X53-D593, 15.1R7-S4, 16.1R7-S4, 17.1R2-S11, 17.1R3-S1, 17.2R3-S3, 17.3R2-S5, 17.3R3-S6, 17.4R2-S9, 17.4R3, 18.1R3-S8, 18.2R2, 18.3R1-S7, 18.3R2, 18.4R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA11001",
"defect": [
"1378429",
"1368940"
],
"discovery": "INTERNAL"
},
"title": "Junos OS: EX and QFX Series: Console port authentication bypass vulnerability",
"workarounds": [
{
"lang": "en",
"value": "Limit physical access to the console port only to trusted administrators."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "sirt@juniper.net",
"DATE_PUBLIC": "2020-04-08T16:00:00.000Z",
"ID": "CVE-2020-1618",
"STATE": "PUBLIC",
"TITLE": "Junos OS: EX and QFX Series: Console port authentication bypass vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Junos OS",
"version": {
"version_data": [
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "14.1X53",
"version_value": "14.1X53-D53"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "15.1",
"version_value": "15.1R7-S4"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "15.1X53",
"version_value": "15.1X53-D593"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "16.1",
"version_value": "16.1R7-S4"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "17.1",
"version_value": "17.1R2-S11, 17.1R3-S1"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "17.2",
"version_value": "17.2R3-S3"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "17.3",
"version_value": "17.3R2-S5, 17.3R3-S6"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "17.4",
"version_value": "17.4R2-S9, 17.4R3"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "18.1",
"version_value": "18.1R3-S8"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "18.2",
"version_value": "18.2R2"
},
{
"platform": "EX and QFX Series",
"version_affected": "\u003c",
"version_name": "18.3",
"version_value": "18.3R1-S7, 18.3R2"
},
{
"platform": "EX and QFX Series",
"version_affected": "!",
"version_value": "12.3"
}
]
}
}
]
},
"vendor_name": "Juniper Networks"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "On Juniper Networks EX and QFX Series, an authentication bypass vulnerability may allow a user connected to the console port to login as root without any password. This issue might only occur in certain scenarios: \u2022 At the first reboot after performing device factory reset using the command \u201crequest system zeroize\u201d; or \u2022 A temporary moment during the first reboot after the software upgrade when the device configured in Virtual Chassis mode. This issue affects Juniper Networks Junos OS on EX and QFX Series: 14.1X53 versions prior to 14.1X53-D53; 15.1 versions prior to 15.1R7-S4; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S4; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R3-S3; 17.3 versions prior to 17.3R2-S5, 17.3R3-S6; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R2; 18.3 versions prior to 18.3R1-S7, 18.3R2. This issue does not affect Juniper Networks Junos OS 12.3."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.juniper.net/JSA11001",
"refsource": "CONFIRM",
"url": "https://kb.juniper.net/JSA11001"
}
]
},
"solution": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: 14.1X53-D53, 15.1X53-D593, 15.1R7-S4, 16.1R7-S4, 17.1R2-S11, 17.1R3-S1, 17.2R3-S3, 17.3R2-S5, 17.3R3-S6, 17.4R2-S9, 17.4R3, 18.1R3-S8, 18.2R2, 18.3R1-S7, 18.3R2, 18.4R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA11001",
"defect": [
"1378429",
"1368940"
],
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Limit physical access to the console port only to trusted administrators."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2020-1618",
"datePublished": "2020-04-08T19:25:54.845Z",
"dateReserved": "2019-11-04T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:56:26.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.