Lucene search

SchneiderCVE-2020-7475

HistoryMar 23, 2020 - 7:15 p.m.

CVE-2020-7475

2020-03-2319:15:12

CWE-74

schneider

web.nvd.nist.gov

cve-2020-7475

injection vulnerability

ecostruxure control expert

unity pro

modicon m340

modicon m580

nvd

cwe-74

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.002

Percentile

61.5%

JSON

A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’), reflective DLL, vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10), which, if exploited, could allow attackers to transfer malicious code to the controller.

Affected configurations

Nvd

Node

schneider-electricecostruxure_control_expertRange≤14.0

schneider-electricunity_pro

Node

schneider-electricmodicon_m340Match-

AND

schneider-electricmodicon_m340_firmwareRange<3.20

Node

schneider-electricmodicon_m580Match-

AND

schneider-electricmodicon_m580_firmwareRange<3.10

VendorProductVersionCPE
schneider-electricecostruxure_control_expert*cpe:2.3:a:schneider-electric:ecostruxure_control_expert:*:*:*:*:*:*:*:*
schneider-electricunity_pro*cpe:2.3:a:schneider-electric:unity_pro:*:*:*:*:*:*:*:*
schneider-electricmodicon_m340-cpe:2.3:h:schneider-electric:modicon_m340:-:*:*:*:*:*:*:*
schneider-electricmodicon_m340_firmware*cpe:2.3:o:schneider-electric:modicon_m340_firmware:*:*:*:*:*:*:*:*
schneider-electricmodicon_m580-cpe:2.3:h:schneider-electric:modicon_m580:-:*:*:*:*:*:*:*
schneider-electricmodicon_m580_firmware*cpe:2.3:o:schneider-electric:modicon_m580_firmware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
schneider-electric	ecostruxure_control_expert	*	cpe:2.3:a:schneider-electric:ecostruxure_control_expert::::::::
schneider-electric	unity_pro	*	cpe:2.3:a:schneider-electric:unity_pro::::::::
schneider-electric	modicon_m340	-	cpe:2.3:h:schneider-electric:modicon_m340:-:::::::*
schneider-electric	modicon_m340_firmware	*	cpe:2.3:o:schneider-electric:modicon_m340_firmware::::::::
schneider-electric	modicon_m580	-	cpe:2.3:h:schneider-electric:modicon_m580:-:::::::*
schneider-electric	modicon_m580_firmware	*	cpe:2.3:o:schneider-electric:modicon_m580_firmware::::::::

CNA Affected

[
  {
    "product": "EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10)",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10)"
      }
    ]
  }
]

References

www.se.com/ww/en/download/document/SEVD-2020-080-01

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.002

Percentile

61.5%

JSON

Related for CVE-2020-7475