Sign-up

ID

VAR-202005-0051


CVE

CVE-2020-10626


TITLE

Fazecast Made jSerialComm To DLL Read vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-004145

DESCRIPTION

In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled search path element vulnerability could allow a malicious DLL file with the same name of any resident DLLs inside the software installation to execute arbitrary code. Fazecast Provides jSerialComm To DLL There is a read vulnerability. jSerialComm Is Fazecast Provides platform-independent serial communication provided by Java The library. This vulnerability allows local attackers to escalate privileges on affected installations of Schneider Electric EcoStruxure IT Gateway. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of files within the Temp directory. The issue results from an incorrect assignment of privilege to a critical resource. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Schneider Electric EcoStruxure IT Gateway is a set of cloud-based data center management as a service (DMaaS) products of French Schneider Electric company. A code issue vulnerability exists in Fazecast jSerialComm 2.2.2 and earlier versions

Trust: 2.43

sources: NVD: CVE-2020-10626 // JVNDB: JVNDB-2020-004145 // ZDI: ZDI-20-588 // VULHUB: VHN-163123 // VULMON: CVE-2020-10626

AFFECTED PRODUCTS

vendor:schneider electricmodel:ecostruxure it gatewayscope:eqversion:1.7.0.64

Trust: 1.0

vendor:fazecastmodel:jserialcommscope:lteversion:2.2.2

Trust: 1.0

vendor:schneider electricmodel:ecostruxure it gatewayscope:lteversion:1.5.2.28

Trust: 1.0

vendor:schneider electricmodel:ecostruxure it gatewayscope:gteversion:1.5.0.66

Trust: 1.0

vendor:schneider electricmodel:ecostruxure it gatewayscope:lteversion:1.6.2.14

Trust: 1.0

vendor:schneider electricmodel:ecostruxure it gatewayscope:gteversion:1.6.0.39

Trust: 1.0

vendor:fazecastmodel:jserialcommscope:eqversion:2.2.2

Trust: 0.9

vendor:schneider electricmodel:ecostruxure it gatewayscope:eqversion:1.5.x 系

Trust: 0.8

vendor:schneider electricmodel:ecostruxure it gatewayscope:eqversion:1.6.x 系

Trust: 0.8

vendor:schneider electricmodel:ecostruxure it gatewayscope:eqversion:1.7.x 系

Trust: 0.8

vendor:schneider electricmodel:ecostruxure it gatewayscope: - version: -

Trust: 0.7

vendor:semodel:ecostruxure it gatewayscope:eqversion:1.7.0.64

Trust: 0.1

sources: ZDI: ZDI-20-588 // VULMON: CVE-2020-10626 // JVNDB: JVNDB-2020-004145 // NVD: CVE-2020-10626

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-10626
value: HIGH

Trust: 1.0

JPCERT/CC: JVNDB-2020-004145
value: HIGH

Trust: 0.8

ZDI: CVE-2020-10626
value: HIGH

Trust: 0.7

CNNVD: CNNVD-202005-154
value: HIGH

Trust: 0.6

VULHUB: VHN-163123
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-10626
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-10626
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-163123
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-10626
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

JPCERT/CC score: JVNDB-2020-004145
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-10626
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-588 // VULHUB: VHN-163123 // VULMON: CVE-2020-10626 // JVNDB: JVNDB-2020-004145 // CNNVD: CNNVD-202005-154 // NVD: CVE-2020-10626

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.9

sources: VULHUB: VHN-163123 // JVNDB: JVNDB-2020-004145 // NVD: CVE-2020-10626

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202005-154

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202005-154

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-004145

PATCH
title:jSerialCommurl:https://github.com/Fazecast/jSerialComm/releases
Trust: 1.6
title:Schneider Electric has issued an update to correct this vulnerability.url:https://www.us-cert.gov/ics/advisories/ICSA2012601
Trust: 0.7
title:Fazecast jSerialComm Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=122410
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-588 // 
            
            
            
            JVNDB: JVNDB-2020-004145 // 
            
            
            
            CNNVD: CNNVD-202005-154

EXTERNAL IDS
db:NVDid:CVE-2020-10626
Trust: 3.3
db:ZDIid:ZDI-20-588
Trust: 1.3
db:JVNid:JVNVU98082388
Trust: 0.8
db:JVNDBid:JVNDB-2020-004145
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-10377
Trust: 0.7
db:CNNVDid:CNNVD-202005-154
Trust: 0.7
db:NSFOCUSid:48504
Trust: 0.6
db:AUSCERTid:ESB-2020.1621
Trust: 0.6
db:VULHUBid:VHN-163123
Trust: 0.1
db:PULSESECUREid:SA201260
Trust: 0.1
db:VULMONid:CVE-2020-10626
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-588 // 
            
            
            
            VULHUB: VHN-163123 // 
            
            
            
            VULMON: CVE-2020-10626 // 
            
            
            
            JVNDB: JVNDB-2020-004145 // 
            
            
            
            CNNVD: CNNVD-202005-154 // 
            
            
            
            NVD: CVE-2020-10626

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa2012601
Trust: 3.3
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10626
Trust: 0.8
url:http://jvn.jp/cert/jvnvu98082388
Trust: 0.8
url:http://www.nsfocus.net/vulndb/48504
Trust: 0.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-10626
Trust: 0.6
url:https://www.zerodayinitiative.com/advisories/zdi-20-588/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1621/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/427.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/181436
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-588 // 
            
            
            
            VULHUB: VHN-163123 // 
            
            
            
            VULMON: CVE-2020-10626 // 
            
            
            
            JVNDB: JVNDB-2020-004145 // 
            
            
            
            CNNVD: CNNVD-202005-154 // 
            
            
            
            NVD: CVE-2020-10626

CREDITS
Ryan Wincey (@rwincey) of Securifera
Trust: 0.7
sources:
            
            
            ZDI: ZDI-20-588

SOURCES
db:ZDIid:ZDI-20-588
db:VULHUBid:VHN-163123
db:VULMONid:CVE-2020-10626
db:JVNDBid:JVNDB-2020-004145
db:CNNVDid:CNNVD-202005-154
db:NVDid:CVE-2020-10626

LAST UPDATE DATE
2024-11-23T21:51:29.708000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-20-588date:2020-05-06T00:00:00
db:VULHUBid:VHN-163123date:2022-01-31T00:00:00
db:VULMONid:CVE-2020-10626date:2020-05-19T00:00:00
db:JVNDBid:JVNDB-2020-004145date:2020-05-08T00:00:00
db:CNNVDid:CNNVD-202005-154date:2022-03-10T00:00:00
db:NVDid:CVE-2020-10626date:2024-11-21T04:55:43.520

SOURCES RELEASE DATE
db:ZDIid:ZDI-20-588date:2020-05-06T00:00:00
db:VULHUBid:VHN-163123date:2020-05-14T00:00:00
db:VULMONid:CVE-2020-10626date:2020-05-14T00:00:00
db:JVNDBid:JVNDB-2020-004145date:2020-05-08T00:00:00
db:CNNVDid:CNNVD-202005-154date:2020-05-05T00:00:00
db:NVDid:CVE-2020-10626date:2020-05-14T16:15:12.530