mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
161 lines
6.1 KiB
JSON
161 lines
6.1 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"AKA": "TWCERT/CC",
|
|
"ASSIGNER": "cve@cert.org.tw",
|
|
"DATE_PUBLIC": "2021-09-30T10:13:00.000Z",
|
|
"ID": "CVE-2021-41292",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "ECOA BAS controller - Broken Authentication"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "ECS Router Controller ECS (FLASH)",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "RiskBuster Terminator E6L45",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "RiskBuster System RB 3.0.0",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "RiskBuster System TRANE 1.0",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "Graphic Control Software",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "SmartHome II E9246",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "RiskTerminator",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"vendor_name": "ECOA"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC."
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.0.9"
|
|
},
|
|
"impact": {
|
|
"cvss": {
|
|
"attackComplexity": "LOW",
|
|
"attackVector": "NETWORK",
|
|
"availabilityImpact": "HIGH",
|
|
"baseScore": 9.8,
|
|
"baseSeverity": "CRITICAL",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"privilegesRequired": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "NONE",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"version": "3.1"
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"refsource": "MISC",
|
|
"url": "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html",
|
|
"name": "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html"
|
|
}
|
|
]
|
|
},
|
|
"solution": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Contact tech support from ECOA."
|
|
}
|
|
],
|
|
"source": {
|
|
"advisory": "TVN-202109008",
|
|
"discovery": "EXTERNAL"
|
|
}
|
|
} |