github - ghsa-8839-62pg-36q3

ghsa-8839-62pg-36q3

Vulnerability from github

Published

2022-05-24 17:21

Modified

2022-05-24 17:21

Details

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-24T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot\u0027s database.",
  "id": "GHSA-8839-62pg-36q3",
  "modified": "2022-05-24T17:21:31Z",
  "published": "2022-05-24T17:21:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10274"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aliasrobotics/RVD/issues/2556"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

cve-2020-10274

Vulnerability from cvelistv5

Published

2020-06-24 04:40

Modified

2024-09-17 00:05

Severity

7.1 (High) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Summary

RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)

References

URL	Tags
https://github.com/aliasrobotics/RVD/issues/2556	x_refsource_CONFIRM

Impacted products

Vendor	Product
Mobile Industrial Robots A/S	MiR100

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:58:40.140Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/aliasrobotics/RVD/issues/2556"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MiR100",
          "vendor": "Mobile Industrial Robots A/S",
          "versions": [
            {
              "status": "affected",
              "version": "v2.8.1.1 and before"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Alias Robotics (group, https://aliasrobotics.com)"
        }
      ],
      "datePublic": "2020-06-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot\u0027s database."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-24T04:40:12",
        "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
        "shortName": "Alias"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aliasrobotics/RVD/issues/2556"
        }
      ],
      "source": {
        "defect": [
          "RVD#2556"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)",
      "x_generator": {
        "engine": "Robot Vulnerability Database (RVD)"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@aliasrobotics.com",
          "DATE_PUBLIC": "2020-06-24T04:37:43 +00:00",
          "ID": "CVE-2020-10274",
          "STATE": "PUBLIC",
          "TITLE": "RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "MiR100",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "v2.8.1.1 and before"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mobile Industrial Robots A/S"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Alias Robotics (group, https://aliasrobotics.com)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot\u0027s database."
            }
          ]
        },
        "generator": {
          "engine": "Robot Vulnerability Database (RVD)"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "high",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/aliasrobotics/RVD/issues/2556",
              "refsource": "CONFIRM",
              "url": "https://github.com/aliasrobotics/RVD/issues/2556"
            }
          ]
        },
        "source": {
          "defect": [
            "RVD#2556"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
    "assignerShortName": "Alias",
    "cveId": "CVE-2020-10274",
    "datePublished": "2020-06-24T04:40:12.678203Z",
    "dateReserved": "2020-03-10T00:00:00",
    "dateUpdated": "2024-09-17T00:05:33.397Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.