Lucene search

SchneiderCVE-2020-7495

HistoryJun 16, 2020 - 8:15 p.m.

CVE-2020-7495

2020-06-1620:15:14

CWE-22

schneider

web.nvd.nist.gov

cve-2020-7495

cwe-22

path traversal

ecostruxure operator terminal expert

security vulnerability

zip file extraction

unauthorized write access

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

33.1%

JSON

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability during zip file extraction exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause unauthorized write access outside of expected path folder when opening the project file.

Affected configurations

Nvd

Node

schneider-electricecostruxure_operator_terminal_expertRange≤3.0

schneider-electricecostruxure_operator_terminal_expertMatch3.1-

schneider-electricecostruxure_operator_terminal_expertMatch3.1sp1

VendorProductVersionCPE
schneider-electricecostruxure_operator_terminal_expert*cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*
schneider-electricecostruxure_operator_terminal_expert3.1cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:-:*:*:*:*:*:*
schneider-electricecostruxure_operator_terminal_expert3.1cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1:*:*:*:*:*:*

Vendor	Product	Version	CPE
schneider-electric	ecostruxure_operator_terminal_expert	*	cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert::::::::
schneider-electric	ecostruxure_operator_terminal_expert	3.1	cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:-::::::
schneider-electric	ecostruxure_operator_terminal_expert	3.1	cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.1:sp1::::::

CNA Affected

[
  {
    "product": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)"
      }
    ]
  }
]

References

www.se.com/ww/en/download/document/SEVD-2020-133-04

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

33.1%

JSON

Related for CVE-2020-7495