ID

VAR-202007-0398


CVE

CVE-2020-14501


TITLE

Advantech iView access control error vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-43173 // CNNVD: CNNVD-202007-955

DESCRIPTION

Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also delete the administrator account. Advantech iView There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the UserServlet class. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Advantech iView is a device management application provided by Advantech. Advantech Iview is a software based on Simple Network Protocol (SNMP) of China Advantech Company to manage B+B SmartWorx equipment

Trust: 2.88

sources: NVD: CVE-2020-14501 // JVNDB: JVNDB-2020-008661 // ZDI: ZDI-20-859 // CNVD: CNVD-2020-43173 // VULHUB: VHN-167386

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-43173

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope:lteversion:5.6

Trust: 1.0

vendor:advantechmodel:iviewscope:eqversion:5.6

Trust: 0.8

vendor:advantechmodel:iviewscope: - version: -

Trust: 0.7

vendor:advantechmodel:iviewscope:lteversion:<=5.6

Trust: 0.6

sources: ZDI: ZDI-20-859 // CNVD: CNVD-2020-43173 // JVNDB: JVNDB-2020-008661 // NVD: CVE-2020-14501

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-14501
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-008661
value: CRITICAL

Trust: 0.8

ZDI: CVE-2020-14501
value: HIGH

Trust: 0.7

CNVD: CNVD-2020-43173
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202007-955
value: CRITICAL

Trust: 0.6

VULHUB: VHN-167386
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-14501
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-008661
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-43173
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-167386
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-14501
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-008661
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-14501
baseSeverity: HIGH
baseScore: 8.2
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 4.2
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-859 // CNVD: CNVD-2020-43173 // VULHUB: VHN-167386 // JVNDB: JVNDB-2020-008661 // CNNVD: CNNVD-202007-955 // NVD: CVE-2020-14501

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.9

sources: VULHUB: VHN-167386 // JVNDB: JVNDB-2020-008661 // NVD: CVE-2020-14501

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-955

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202007-955

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-008661

PATCH

title:Top Pageurl:https://www.advantech.co.jp

Trust: 0.8

title:Advantech has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33

Trust: 0.7

title:Patch for Advantech iView access control error vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/227261

Trust: 0.6

sources: ZDI: ZDI-20-859 // CNVD: CNVD-2020-43173 // JVNDB: JVNDB-2020-008661

EXTERNAL IDS

db:NVDid:CVE-2020-14501

Trust: 3.8

db:ICS CERTid:ICSA-20-196-01

Trust: 2.5

db:ZDIid:ZDI-20-859

Trust: 2.4

db:JVNid:JVNVU95694616

Trust: 0.8

db:JVNDBid:JVNDB-2020-008661

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-10699

Trust: 0.7

db:CNVDid:CNVD-2020-43173

Trust: 0.6

db:NSFOCUSid:47223

Trust: 0.6

db:AUSCERTid:ESB-2020.2382

Trust: 0.6

db:CNNVDid:CNNVD-202007-955

Trust: 0.6

db:VULHUBid:VHN-167386

Trust: 0.1

sources: ZDI: ZDI-20-859 // CNVD: CNVD-2020-43173 // VULHUB: VHN-167386 // JVNDB: JVNDB-2020-008661 // CNNVD: CNNVD-202007-955 // NVD: CVE-2020-14501

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-01

Trust: 3.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-14501

Trust: 2.0

url:https://www.zerodayinitiative.com/advisories/zdi-20-859/

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-14501

Trust: 0.8

url:https://jvn.jp/vu/jvnvu95694616/

Trust: 0.8

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33

Trust: 0.7

url:https://www.auscert.org.au/bulletins/esb-2020.2382/

Trust: 0.6

url:http://www.nsfocus.net/vulndb/47223

Trust: 0.6

sources: ZDI: ZDI-20-859 // CNVD: CNVD-2020-43173 // VULHUB: VHN-167386 // JVNDB: JVNDB-2020-008661 // CNNVD: CNNVD-202007-955 // NVD: CVE-2020-14501

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-20-859

SOURCES

db:ZDIid:ZDI-20-859
db:CNVDid:CNVD-2020-43173
db:VULHUBid:VHN-167386
db:JVNDBid:JVNDB-2020-008661
db:CNNVDid:CNNVD-202007-955
db:NVDid:CVE-2020-14501

LAST UPDATE DATE

2024-08-14T14:03:38.877000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-20-859date:2020-07-16T00:00:00
db:CNVDid:CNVD-2020-43173date:2020-07-30T00:00:00
db:VULHUBid:VHN-167386date:2020-07-22T00:00:00
db:JVNDBid:JVNDB-2020-008661date:2020-09-18T00:00:00
db:CNNVDid:CNNVD-202007-955date:2020-12-31T00:00:00
db:NVDid:CVE-2020-14501date:2020-07-22T15:08:12.010

SOURCES RELEASE DATE

db:ZDIid:ZDI-20-859date:2020-07-16T00:00:00
db:CNVDid:CNVD-2020-43173date:2020-07-27T00:00:00
db:VULHUBid:VHN-167386date:2020-07-15T00:00:00
db:JVNDBid:JVNDB-2020-008661date:2020-09-18T00:00:00
db:CNNVDid:CNNVD-202007-955date:2020-07-14T00:00:00
db:NVDid:CVE-2020-14501date:2020-07-15T03:15:50.607