mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
135 lines
4.7 KiB
JSON
135 lines
4.7 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"ASSIGNER": "CybersecurityCOE@eaton.com",
|
|
"ID": "CVE-2020-6656",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "File parsing Type Confusion Remote code execution vulerability"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Eaton",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "easySoft Software",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "v7.xx prior to v7.22"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"credit": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Eaton would like to thank Francis Provencher from ZDI"
|
|
}
|
|
],
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Eaton's easySoft software v7.xx prior to v7.22 are susceptible to file parsing type confusion remote code execution vulnerability. A malicious entity can execute a malicious code or make the application crash by tricking user upload a malformed .E70 file in the application. The vulnerability arises due to improper validation of user data supplied through E70 file which is causing Type Confusion."
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.0.9"
|
|
},
|
|
"impact": {
|
|
"cvss": {
|
|
"attackComplexity": "HIGH",
|
|
"attackVector": "LOCAL",
|
|
"availabilityImpact": "LOW",
|
|
"baseScore": 5.8,
|
|
"baseSeverity": "MEDIUM",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "REQUIRED",
|
|
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L",
|
|
"version": "3.1"
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-20 Improper Input Validation"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"refsource": "MISC",
|
|
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/easySoft-eaton-vulnerability-advisory.pdf",
|
|
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/easySoft-eaton-vulnerability-advisory.pdf"
|
|
},
|
|
{
|
|
"refsource": "MISC",
|
|
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1441/",
|
|
"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-1441/"
|
|
},
|
|
{
|
|
"refsource": "MISC",
|
|
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1442/",
|
|
"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-1442/"
|
|
},
|
|
{
|
|
"refsource": "MISC",
|
|
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1444/",
|
|
"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-1444/"
|
|
},
|
|
{
|
|
"refsource": "MISC",
|
|
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03",
|
|
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-007-03"
|
|
}
|
|
]
|
|
},
|
|
"solution": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Apply the patch once it is provided by Eaton. "
|
|
}
|
|
],
|
|
"source": {
|
|
"advisory": "ETN-VA-2020-1009",
|
|
"defect": [
|
|
"ETN-VA-2020-1009"
|
|
],
|
|
"discovery": "EXTERNAL"
|
|
},
|
|
"work_around": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Do not upload the E70 file from an untrusted source."
|
|
}
|
|
]
|
|
} |