var-202005-0949
Vulnerability from variot
Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters. Eaton's Intelligent Power Manager (IPM) Exists in a privilege management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to escalate privileges on affected installations of Eaton Intelligent Power Manager. Authentication is required to exploit this vulnerability.The specific flaw exists within the mc2 binary. The issue results from the lack of proper validation of user privileges prior to performing privileged actions. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from non-admin users. Eaton Intelligent Power Manager (IPM) is an intelligent power manager made by Eaton, USA. It supports remote monitoring and management of multiple devices in the network from the interface
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202005-0949",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "intelligent power manager",
"scope": "lte",
"trust": 1.0,
"vendor": "eaton",
"version": "1.67"
},
{
"model": "intelligent power manager",
"scope": "eq",
"trust": 0.9,
"vendor": "eaton",
"version": "1.67"
},
{
"model": "intelligent power manager",
"scope": null,
"trust": 0.7,
"vendor": "eaton",
"version": null
},
{
"model": "intelligent power manager",
"scope": "lte",
"trust": 0.6,
"vendor": "eaton",
"version": "\u003c=1.67"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-650"
},
{
"db": "CNVD",
"id": "CNVD-2021-28786"
},
{
"db": "VULMON",
"id": "CVE-2020-6652"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"db": "NVD",
"id": "CVE-2020-6652"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.67",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-6652"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "zebasquared",
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-650"
}
],
"trust": 0.7
},
"cve": "CVE-2020-6652",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.6,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2020-005113",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CNVD-2021-28786",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2020-6652",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "MEDIUM",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-005113",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2020-6652",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-6652",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CybersecurityCOE@eaton.com",
"id": "CVE-2020-6652",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-005113",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2020-6652",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2021-28786",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202005-252",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2020-6652",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-650"
},
{
"db": "CNVD",
"id": "CNVD-2021-28786"
},
{
"db": "VULMON",
"id": "CVE-2020-6652"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"db": "NVD",
"id": "CVE-2020-6652"
},
{
"db": "NVD",
"id": "CVE-2020-6652"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-252"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Incorrect Privilege Assignment vulnerability in Eaton\u0027s Intelligent Power Manager (IPM) v1.67 \u0026 prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters. Eaton\u0027s Intelligent Power Manager (IPM) Exists in a privilege management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to escalate privileges on affected installations of Eaton Intelligent Power Manager. Authentication is required to exploit this vulnerability.The specific flaw exists within the mc2 binary. The issue results from the lack of proper validation of user privileges prior to performing privileged actions. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from non-admin users. Eaton Intelligent Power Manager (IPM) is an intelligent power manager made by Eaton, USA. It supports remote monitoring and management of multiple devices in the network from the interface",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-6652"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"db": "ZDI",
"id": "ZDI-20-650"
},
{
"db": "CNVD",
"id": "CNVD-2021-28786"
},
{
"db": "VULMON",
"id": "CVE-2020-6652"
}
],
"trust": 2.88
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-6652",
"trust": 3.8
},
{
"db": "ZDI",
"id": "ZDI-20-650",
"trust": 2.4
},
{
"db": "ICS CERT",
"id": "ICSA-20-133-01",
"trust": 1.4
},
{
"db": "JVN",
"id": "JVNVU91250818",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005113",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-11085",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2021-28786",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1678",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "47501",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202005-252",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2020-6652",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-650"
},
{
"db": "CNVD",
"id": "CNVD-2021-28786"
},
{
"db": "VULMON",
"id": "CVE-2020-6652"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"db": "NVD",
"id": "CVE-2020-6652"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-252"
}
]
},
"id": "VAR-202005-0949",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-28786"
}
],
"trust": 1.1833333000000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-28786"
}
]
},
"last_update_date": "2023-12-18T13:18:13.627000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ETN-VA-2020-1004",
"trust": 0.8,
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"
},
{
"title": "Eaton has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-133-01"
},
{
"title": "Patch for Eaton Intelligent Power Manager incorrect permission assignment vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/258931"
},
{
"title": "Eaton Intelligent Power Manager Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=117840"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-650"
},
{
"db": "CNVD",
"id": "CNVD-2021-28786"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-252"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-269",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"db": "NVD",
"id": "CVE-2020-6652"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-133-01"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-6652"
},
{
"trust": 1.7,
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"
},
{
"trust": 1.7,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-650/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6652"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu91250818/"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/47501"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1678/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/269.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-650"
},
{
"db": "CNVD",
"id": "CNVD-2021-28786"
},
{
"db": "VULMON",
"id": "CVE-2020-6652"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"db": "NVD",
"id": "CVE-2020-6652"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-252"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-20-650"
},
{
"db": "CNVD",
"id": "CNVD-2021-28786"
},
{
"db": "VULMON",
"id": "CVE-2020-6652"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"db": "NVD",
"id": "CVE-2020-6652"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-252"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-05-12T00:00:00",
"db": "ZDI",
"id": "ZDI-20-650"
},
{
"date": "2021-04-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-28786"
},
{
"date": "2020-05-07T00:00:00",
"db": "VULMON",
"id": "CVE-2020-6652"
},
{
"date": "2020-06-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"date": "2020-05-07T16:15:11.390000",
"db": "NVD",
"id": "CVE-2020-6652"
},
{
"date": "2020-05-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202005-252"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-05-12T00:00:00",
"db": "ZDI",
"id": "ZDI-20-650"
},
{
"date": "2021-04-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-28786"
},
{
"date": "2020-05-12T00:00:00",
"db": "VULMON",
"id": "CVE-2020-6652"
},
{
"date": "2020-06-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-005113"
},
{
"date": "2020-05-12T22:15:12.607000",
"db": "NVD",
"id": "CVE-2020-6652"
},
{
"date": "2020-08-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202005-252"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202005-252"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Eaton\u0027s Intelligent Power Manager Vulnerability related to authority management in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-005113"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202005-252"
}
],
"trust": 0.6
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.