CVE-2020-3934 - OpenCVE

TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Secom	Dr.id Access Control Dr.id Attendance System

Configuration 1 [-]

OR	cpe:2.3:a:secom:dr.id_access_control::::::::
	cpe:2.3:a:secom:dr.id_attendance_system::::::::

References

Link	Resource
https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b	Third Party Advisory
https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac	Third Party Advisory
https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: twcert

Published: 2020-02-11T00:00:00

Updated: 2020-07-27T12:12:47

Reserved: 2019-12-20T00:00:00

Link: CVE-2020-3934

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-02-11T12:15:21.057

Modified: 2022-01-01T19:58:30.000

Link: CVE-2020-3934

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"product": "Door Access Control system", "vendor": "TAIWAN SECOM CO., LTD.", "versions": [{"lessThanOrEqual": "3.3.2", "status": "affected", "version": "0", "versionType": "custom"}]}, {"product": "Personnel Attendance system", "vendor": "TAIWAN SECOM CO., LTD.", "versions": [{"lessThanOrEqual": "3.3.0.3_20160517", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2020-02-11T00:00:00", "descriptions": [{"lang": "en", "value": "TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Pre-auth SQL Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-27T12:12:47", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"}, {"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"}, {"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html"}], "solutions": [{"lang": "en", "value": "Update to:\nDoor Access Control system ver. 3.5.4\nPersonnel Attendance system prior to ver. 3.4.0.0.3.05_20191112"}], "source": {"discovery": "UNKNOWN"}, "title": "TAIWAN SECOM CO., LTD. - Pre-auth SQL Injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2020-02-11T03:59:00.000Z", "ID": "CVE-2020-3934", "STATE": "PUBLIC", "TITLE": "TAIWAN SECOM CO., LTD. - Pre-auth SQL Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Door Access Control system", "version": {"version_data": [{"version_affected": "<=", "version_name": "0", "version_value": "3.3.2"}]}}, {"product_name": "Personnel Attendance system", "version": {"version_data": [{"version_affected": "<=", "version_name": "0", "version_value": "3.3.0.3_20160517"}]}}]}, "vendor_name": "TAIWAN SECOM CO., LTD."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Pre-auth SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac", "refsource": "MISC", "url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"}, {"name": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b", "refsource": "MISC", "url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"}, {"name": "https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html"}]}, "solution": [{"lang": "en", "value": "Update to:\nDoor Access Control system ver. 3.5.4\nPersonnel Attendance system prior to ver. 3.4.0.0.3.05_20191112"}], "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2020-3934", "datePublished": "2020-02-11T00:00:00", "dateReserved": "2019-12-20T00:00:00", "dateUpdated": "2020-07-27T12:12:47", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:secom:dr.id_access_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "02EC3D6E-9954-4BE8-9DE2-3CD0BF5B2093", "versionEndExcluding": "3.3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:secom:dr.id_attendance_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B14D909-4622-4412-BED7-E1CF1081346A", "versionEndExcluding": "3.3.0.3_20160517", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command."}, {"lang": "es", "value": "TAIWAN SECOM CO., LTD., un sistema de Control de Acceso de Puerta y Administraci\u00f3n de Asistencia de Personal, contiene una vulnerabilidad de inyecci\u00f3n SQL previa a la autenticaci\u00f3n, lo que permite a atacantes inyectar un comando SQL espec\u00edfico"}], "id": "CVE-2020-3934", "lastModified": "2022-01-01T19:58:30.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2020-02-11T12:15:21.057", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}