Lucene search

GitHub_MCVELIST:CVE-2020-11015

HistorySep 29, 2022 - 1:42 a.m.

CVE-2020-11015 Device Authentication Vulnerability in thinx-device-api IoT Device Management Server

2022-09-2901:42:38

CWE-290

GitHub_M

www.cve.org

cve-2020-11015

device authentication

thinx-device-api

iot device management server

mac address spoofing

udid

esp8266/esp32

firmware 2.5.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.3%

JSON

A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0. Device MAC address can be spoofed. This means initial registration requests without UDID and spoofed MAC address may pass to create new UDID with same MAC address. Full impact needs to be reviewed further. Applies to all (mostly ESP8266/ESP32) users. This has been fixed in firmware version 2.5.0.

CNA Affected

[
  {
    "product": "thinx-device-api",
    "vendor": "suculent",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.5.0"
      }
    ]
  }
]

References

github.com/suculent/thinx-device-api/security/advisories/GHSA-5x54-39xq-cwvc

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.3%

JSON

Related for CVELIST:CVE-2020-11015