Lucene search

AliasCVELIST:CVE-2020-10274

HistoryJun 24, 2020 - 4:40 a.m.

CVE-2020-10274 RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)

2020-06-2404:40:12

CWE-200

Alias

www.cve.org

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

7.2

Confidence

High

EPSS

0.007

Percentile

79.7%

JSON

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot’s database.

CNA Affected

[
  {
    "product": "MiR100",
    "vendor": "Mobile Industrial Robots A/S",
    "versions": [
      {
        "status": "affected",
        "version": "v2.8.1.1 and before"
      }
    ]
  }
]

References

github.com/aliasrobotics/RVD/issues/2556

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

7.2

Confidence

High

EPSS

0.007

Percentile

79.7%

JSON

Related for CVELIST:CVE-2020-10274