Sign-up

ID

VAR-202007-0400


CVE

CVE-2020-14505


TITLE

Advantech iView command injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-43172 // CNNVD: CNNVD-202007-961

DESCRIPTION

Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection”) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that creates a command string without any validation. The attacker may then remotely execute code. Advantech iView There is an injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of calls to the restoreDatabase method of the NetworkServlet class. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. Advantech iView is a device management application provided by Advantech. The vulnerability stems from the program's failure to correctly verify the string submitted by the user before making a system call

Trust: 2.88

sources: NVD: CVE-2020-14505 // JVNDB: JVNDB-2020-008660 // ZDI: ZDI-20-831 // CNVD: CNVD-2020-43172 // VULHUB: VHN-167390

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-43172

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope:lteversion:5.6

Trust: 1.0

vendor:advantechmodel:iviewscope:eqversion:5.6

Trust: 0.8

vendor:advantechmodel:iviewscope: - version: -

Trust: 0.7

vendor:advantechmodel:iviewscope:lteversion:<=5.6

Trust: 0.6

sources: ZDI: ZDI-20-831 // CNVD: CNVD-2020-43172 // JVNDB: JVNDB-2020-008660 // NVD: CVE-2020-14505

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-14505
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-008660
value: CRITICAL

Trust: 0.8

ZDI: CVE-2020-14505
value: CRITICAL

Trust: 0.7

CNVD: CNVD-2020-43172
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202007-961
value: CRITICAL

Trust: 0.6

VULHUB: VHN-167390
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-14505
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-008660
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-43172
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-167390
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-14505
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-008660
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-14505
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-831 // CNVD: CNVD-2020-43172 // VULHUB: VHN-167390 // JVNDB: JVNDB-2020-008660 // CNNVD: CNNVD-202007-961 // NVD: CVE-2020-14505

PROBLEMTYPE DATA

problemtype:CWE-74

Trust: 1.9

problemtype:CWE-77

Trust: 1.0

sources: VULHUB: VHN-167390 // JVNDB: JVNDB-2020-008660 // NVD: CVE-2020-14505

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-961

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202007-961

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-008660

PATCH
title:Top Pageurl:https://www.advantech.co.jp
Trust: 0.8
title:Advantech has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33
Trust: 0.7
title:Patch for Advantech iView command injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/227259
Trust: 0.6
title:Advantech iView Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124489
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-831 // 
            
            
            
            CNVD: CNVD-2020-43172 // 
            
            
            
            JVNDB: JVNDB-2020-008660 // 
            
            
            
            CNNVD: CNNVD-202007-961

EXTERNAL IDS
db:NVDid:CVE-2020-14505
Trust: 3.8
db:ICS CERTid:ICSA-20-196-01
Trust: 2.5
db:ZDIid:ZDI-20-831
Trust: 2.4
db:JVNid:JVNVU95694616
Trust: 0.8
db:JVNDBid:JVNDB-2020-008660
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-10645
Trust: 0.7
db:CNNVDid:CNNVD-202007-961
Trust: 0.7
db:CNVDid:CNVD-2020-43172
Trust: 0.6
db:NSFOCUSid:47233
Trust: 0.6
db:AUSCERTid:ESB-2020.2382
Trust: 0.6
db:VULHUBid:VHN-167390
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-831 // 
            
            
            
            CNVD: CNVD-2020-43172 // 
            
            
            
            VULHUB: VHN-167390 // 
            
            
            
            JVNDB: JVNDB-2020-008660 // 
            
            
            
            CNNVD: CNNVD-202007-961 // 
            
            
            
            NVD: CVE-2020-14505

REFERENCES
url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-01
Trust: 3.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-14505
Trust: 2.0
url:https://www.zerodayinitiative.com/advisories/zdi-20-831/
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-14505
Trust: 0.8
url:https://jvn.jp/vu/jvnvu95694616/
Trust: 0.8
url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33
Trust: 0.7
url:https://www.auscert.org.au/bulletins/esb-2020.2382/
Trust: 0.6
url:http://www.nsfocus.net/vulndb/47233
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-831 // 
            
            
            
            CNVD: CNVD-2020-43172 // 
            
            
            
            VULHUB: VHN-167390 // 
            
            
            
            JVNDB: JVNDB-2020-008660 // 
            
            
            
            CNNVD: CNNVD-202007-961 // 
            
            
            
            NVD: CVE-2020-14505

CREDITS
rgod
Trust: 0.7
sources:
            
            
            ZDI: ZDI-20-831

SOURCES
db:ZDIid:ZDI-20-831
db:CNVDid:CNVD-2020-43172
db:VULHUBid:VHN-167390
db:JVNDBid:JVNDB-2020-008660
db:CNNVDid:CNNVD-202007-961
db:NVDid:CVE-2020-14505

LAST UPDATE DATE
2024-08-14T14:03:39.038000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-20-831date:2020-07-16T00:00:00
db:CNVDid:CNVD-2020-43172date:2020-07-30T00:00:00
db:VULHUBid:VHN-167390date:2020-07-22T00:00:00
db:JVNDBid:JVNDB-2020-008660date:2020-09-18T00:00:00
db:CNNVDid:CNNVD-202007-961date:2020-12-31T00:00:00
db:NVDid:CVE-2020-14505date:2020-07-22T14:59:39.213

SOURCES RELEASE DATE
db:ZDIid:ZDI-20-831date:2020-07-16T00:00:00
db:CNVDid:CNVD-2020-43172date:2020-07-27T00:00:00
db:VULHUBid:VHN-167390date:2020-07-15T00:00:00
db:JVNDBid:JVNDB-2020-008660date:2020-09-18T00:00:00
db:CNNVDid:CNNVD-202007-961date:2020-07-14T00:00:00
db:NVDid:CVE-2020-14505date:2020-07-15T02:15:12.627