diff --git a/2020/12xxx/CVE-2020-12499.json b/2020/12xxx/CVE-2020-12499.json index 242727ae0fd..49cf7acec15 100644 --- a/2020/12xxx/CVE-2020-12499.json +++ b/2020/12xxx/CVE-2020-12499.json @@ -1,18 +1,107 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "info@cert.vde.com", + "DATE_PUBLIC": "2020-07-21T09:44:00.000Z", "ID": "CVE-2020-12499", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier: Improper path sanitation vulnerability." }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "PLCnext Engineer", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "2020.3.1" + } + ] + } + } + ] + }, + "vendor_name": "PHOENIX CONTACT" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "This vulnerability was discovered and reported by Amir Preminger of Claroty." + }, + { + "lang": "eng", + "value": "PHOENIX CONTACT reported the vulnerability to CERT@VDE." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In PHOENIX CONTACT PLCnext Engineer version 2020.3.1 and earlier an improper path sanitation vulnerability exists on import of project files." } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 8.2, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://cert.vde.com/en-us/advisories/vde-2020-025" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Temporary Fix / Mitigation: We strongly recommend customers to exchange project files only using secure file exchange\nservices. Project files should not be exchanged via unencrypted email. Users should avoid\nimporting project files from unknown source and exchange or store project files together with a\nchecksum to ensure their integrity.\n\n" + }, + { + "lang": "eng", + "value": "Remediation: Phoenix Contact strongly recommends updating to the latest version PLCnext Enineer 2020.6 or\nhigher, which fixes this vulnerability." + } + ], + "source": { + "advisory": "VDE-2020-025", + "discovery": "UNKNOWN" } } \ No newline at end of file