CVE-2020-12004 - OpenCVE

The affected product lacks proper authentication required to query the server on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Inductiveautomation	Ignition Gateway

Configuration 1 [-]

OR	cpe:2.3:a:inductiveautomation:ignition_gateway::::::::
	cpe:2.3:a:inductiveautomation:ignition_gateway::::::::

References

Link	Resource
http://packetstormsecurity.com/files/158226/Inductive-Automation-Ignition-Remote-Code-Execution.html
https://www.us-cert.gov/ics/advisories/icsa-20-147-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2020-06-09T17:16:04

Updated: 2020-06-25T22:06:14

Reserved: 2020-04-21T00:00:00

Link: CVE-2020-12004

JSON object: View

NVD Information

Status : Modified

Published: 2020-06-09T18:15:11.137

Modified: 2020-06-25T23:15:13.167

Link: CVE-2020-12004

JSON object: View

Redhat Information

No data.

CWE

CWE-306

{"containers": {"cna": {"affected": [{"product": "Ignition 8 Gateway", "vendor": "n/a", "versions": [{"status": "affected", "version": "versions prior to 7.9.14 and 8.0.10"}]}], "descriptions": [{"lang": "en", "value": "The affected product lacks proper authentication required to query the server on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-25T22:06:14", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-20-147-01"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/158226/Inductive-Automation-Ignition-Remote-Code-Execution.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-12004", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ignition 8 Gateway", "version": {"version_data": [{"version_value": "versions prior to 7.9.14 and 8.0.10"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The affected product lacks proper authentication required to query the server on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsa-20-147-01", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-20-147-01"}, {"name": "http://packetstormsecurity.com/files/158226/Inductive-Automation-Ignition-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/158226/Inductive-Automation-Ignition-Remote-Code-Execution.html"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-12004", "datePublished": "2020-06-09T17:16:04", "dateReserved": "2020-04-21T00:00:00", "dateUpdated": "2020-06-25T22:06:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:inductiveautomation:ignition_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A080348-81C5-4DE0-8127-379242A59B2A", "versionEndExcluding": "7.9.14", "versionStartIncluding": "7.2.4.48", "vulnerable": true}, {"criteria": "cpe:2.3:a:inductiveautomation:ignition_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D54DBE1-0273-41EF-AC65-611E74CD00FA", "versionEndExcluding": "8.0.10", "versionStartIncluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The affected product lacks proper authentication required to query the server on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information."}, {"lang": "es", "value": "El producto afectado carece de una autenticaci\u00f3n apropiada requerida para consultar el servidor en Ignition 8 Gateway (versiones anteriores a 8.0.10) y Ignition 7 Gateway (versiones anteriores a la 7.9.14), permitiendo a un atacante obtener informaci\u00f3n confidencial"}], "id": "CVE-2020-12004", "lastModified": "2020-06-25T23:15:13.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-09T18:15:11.137", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "http://packetstormsecurity.com/files/158226/Inductive-Automation-Ignition-Remote-Code-Execution.html"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-20-147-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}