cnvd - cnvd-2020-53312

CNVD-2020-53312

Vulnerability from cnvd - Published: 2020-09-23

Title

Micro Air Vehicle Link存在未明漏洞

Description

Micro Air Vehicle Link（MAVLink）是Dronecode项目的一款轻量级的消息传输协议，它主要用于地面控制终端（地面站）与无人机之间 (以及机载无人机组件之间) 的通信。 MAVLink中存在安全漏洞，远程攻击者可利用该漏洞访问敏感信息。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://mavlink.io/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-10281

Impacted products

Name
mavlink Micro Air Vehicle Link

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-10281"
    }
  },
  "description": "Micro Air Vehicle Link\uff08MAVLink\uff09\u662fDronecode\u9879\u76ee\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u7684\u6d88\u606f\u4f20\u8f93\u534f\u8bae\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u5730\u9762\u63a7\u5236\u7ec8\u7aef\uff08\u5730\u9762\u7ad9\uff09\u4e0e\u65e0\u4eba\u673a\u4e4b\u95f4 (\u4ee5\u53ca\u673a\u8f7d\u65e0\u4eba\u673a\u7ec4\u4ef6\u4e4b\u95f4) \u7684\u901a\u4fe1\u3002\n\nMAVLink\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://mavlink.io/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-53312",
  "openTime": "2020-09-23",
  "products": {
    "product": "mavlink Micro Air Vehicle Link"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-10281",
  "serverity": "\u4e2d",
  "submitTime": "2020-07-06",
  "title": "Micro Air Vehicle Link\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2020-10281 (GCVE-0-2020-10281)

Vulnerability from cvelistv5 – Published: 2020-07-03 14:30 – Updated: 2024-09-16 20:37

Summary

This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol and allows a remote attacker to gain access to sensitive information provided it has access to the communication medium. MAVLink is a header-based protocol that does not perform encryption to improve transfer (and reception speed) and efficiency by design. The increasing popularity of the protocol (used accross different autopilots) has led to its use in wired and wireless mediums through insecure communication channels exposing sensitive information to a remote attacker with ability to intercept network traffic.

Severity ?

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-319

Assigner

Alias

References

URL

Tags

https://docs.google.com/document/d/1XtbD0ORNkhZ8e…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	unspecified	MAVLink	Affected: v2.0 and before

Credits

None

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:58:40.402Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MAVLink",
          "vendor": "unspecified",
          "versions": [
            {
              "status": "affected",
              "version": "v2.0 and before"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "None"
        }
      ],
      "datePublic": "2020-07-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol and allows a remote attacker to gain access to sensitive information provided it has access to the communication medium. MAVLink is a header-based protocol that does not perform encryption to improve transfer (and reception speed) and efficiency by design. The increasing popularity of the protocol (used accross different autopilots) has led to its use in wired and wireless mediums through insecure communication channels exposing sensitive information to a remote attacker with ability to intercept network traffic."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-03T14:30:11",
        "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
        "shortName": "Alias"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit"
        }
      ],
      "source": {
        "defect": [
          "RVD#3315"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "RVD#3315: Cleartext transmission of sensitive information in MAVLink protocol version 1.0 and 2.0",
      "x_generator": {
        "engine": "Robot Vulnerability Database (RVD)"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@aliasrobotics.com",
          "DATE_PUBLIC": "2020-07-03T14:27:04 +00:00",
          "ID": "CVE-2020-10281",
          "STATE": "PUBLIC",
          "TITLE": "RVD#3315: Cleartext transmission of sensitive information in MAVLink protocol version 1.0 and 2.0"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "MAVLink",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "v2.0 and before"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": ""
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "None"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol and allows a remote attacker to gain access to sensitive information provided it has access to the communication medium. MAVLink is a header-based protocol that does not perform encryption to improve transfer (and reception speed) and efficiency by design. The increasing popularity of the protocol (used accross different autopilots) has led to its use in wired and wireless mediums through insecure communication channels exposing sensitive information to a remote attacker with ability to intercept network traffic."
            }
          ]
        },
        "generator": {
          "engine": "Robot Vulnerability Database (RVD)"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "high",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-319"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit",
              "refsource": "CONFIRM",
              "url": "https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit"
            }
          ]
        },
        "source": {
          "defect": [
            "RVD#3315"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
    "assignerShortName": "Alias",
    "cveId": "CVE-2020-10281",
    "datePublished": "2020-07-03T14:30:11.491216Z",
    "dateReserved": "2020-03-10T00:00:00",
    "dateUpdated": "2024-09-16T20:37:09.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-53312

CVE-2020-10281 (GCVE-0-2020-10281)

Tags

Sightings

Nomenclature