CVE-2020-10281 - OpenCVE

This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol and allows a remote attacker to gain access to sensitive information provided it has access to the communication medium. MAVLink is a header-based protocol that does not perform encryption to improve transfer (and reception speed) and efficiency by design. The increasing popularity of the protocol (used accross different autopilots) has led to its use in wired and wireless mediums through insecure communication channels exposing sensitive information to a remote attacker with ability to intercept network traffic.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Dronecode	Micro Air Vehicle Link

Configuration 1 [-]

cpe:2.3:a:dronecode:micro_air_vehicle_link:-:*:*:*:*:*:*:*

References

Link	Resource
https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit	Technical Description Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Alias

Published: 2020-07-03T00:00:00

Updated: 2020-07-03T14:30:11

Reserved: 2020-03-10T00:00:00

Link: CVE-2020-10281

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-07-03T15:15:09.777

Modified: 2021-12-21T12:44:03.753

Link: CVE-2020-10281

JSON object: View

Redhat Information

No data.

CWE

CWE-319

{"containers": {"cna": {"affected": [{"product": "MAVLink", "vendor": "unspecified", "versions": [{"status": "affected", "version": " v2.0 and before"}]}], "credits": [{"lang": "en", "value": "None"}], "datePublic": "2020-07-03T00:00:00", "descriptions": [{"lang": "en", "value": "This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol and allows a remote attacker to gain access to sensitive information provided it has access to the communication medium. MAVLink is a header-based protocol that does not perform encryption to improve transfer (and reception speed) and efficiency by design. The increasing popularity of the protocol (used accross different autopilots) has led to its use in wired and wireless mediums through insecure communication channels exposing sensitive information to a remote attacker with ability to intercept network traffic."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-03T14:30:11", "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "shortName": "Alias"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit"}], "source": {"defect": ["RVD#3315"], "discovery": "EXTERNAL"}, "title": "RVD#3315: Cleartext transmission of sensitive information in MAVLink protocol version 1.0 and 2.0", "x_generator": {"engine": "Robot Vulnerability Database (RVD)"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@aliasrobotics.com", "DATE_PUBLIC": "2020-07-03T14:27:04 +00:00", "ID": "CVE-2020-10281", "STATE": "PUBLIC", "TITLE": "RVD#3315: Cleartext transmission of sensitive information in MAVLink protocol version 1.0 and 2.0"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MAVLink", "version": {"version_data": [{"version_value": " v2.0 and before"}]}}]}, "vendor_name": ""}]}}, "credit": [{"lang": "eng", "value": "None"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol and allows a remote attacker to gain access to sensitive information provided it has access to the communication medium. MAVLink is a header-based protocol that does not perform encryption to improve transfer (and reception speed) and efficiency by design. The increasing popularity of the protocol (used accross different autopilots) has led to its use in wired and wireless mediums through insecure communication channels exposing sensitive information to a remote attacker with ability to intercept network traffic."}]}, "generator": {"engine": "Robot Vulnerability Database (RVD)"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "high", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-319"}]}]}, "references": {"reference_data": [{"name": "https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit", "refsource": "CONFIRM", "url": "https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit"}]}, "source": {"defect": ["RVD#3315"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a", "assignerShortName": "Alias", "cveId": "CVE-2020-10281", "datePublished": "2020-07-03T00:00:00", "dateReserved": "2020-03-10T00:00:00", "dateUpdated": "2020-07-03T14:30:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dronecode:micro_air_vehicle_link:-:*:*:*:*:*:*:*", "matchCriteriaId": "EAB382CB-BFFF-45D9-874B-17292E909D09", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol and allows a remote attacker to gain access to sensitive information provided it has access to the communication medium. MAVLink is a header-based protocol that does not perform encryption to improve transfer (and reception speed) and efficiency by design. The increasing popularity of the protocol (used accross different autopilots) has led to its use in wired and wireless mediums through insecure communication channels exposing sensitive information to a remote attacker with ability to intercept network traffic."}, {"lang": "es", "value": "Esta vulnerabilidad aplica al protocolo Micro Air Vehicle Link (MAVLink) y permite a un atacante remoto conseguir acceso a informaci\u00f3n confidencial siempre que tenga acceso al medio de comunicaci\u00f3n. MAVLink es un protocolo basado en el encabezado que no realiza cifrado para mejorar la transferencia (y la velocidad de recepci\u00f3n) y la eficiencia por dise\u00f1o. La creciente popularidad del protocolo (utilizado entre diferentes pilotos autom\u00e1ticos) ha llevado a su uso en medios cableados e inal\u00e1mbricos por medio de canales de comunicaci\u00f3n no seguros que exponen informaci\u00f3n confidencial a un atacante remoto con capacidad de interceptar el tr\u00e1fico de la red"}], "id": "CVE-2020-10281", "lastModified": "2021-12-21T12:44:03.753", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve@aliasrobotics.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-03T15:15:09.777", "references": [{"source": "cve@aliasrobotics.com", "tags": ["Technical Description", "Vendor Advisory"], "url": "https://docs.google.com/document/d/1XtbD0ORNkhZ8eKrsbSIZNLyg9sFRXMXbsR2mp37KbIg/edit"}], "sourceIdentifier": "cve@aliasrobotics.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "cve@aliasrobotics.com", "type": "Secondary"}]}