Details of VAR-202009-0304

ID

VAR-202009-0304

CVE

CVE-2020-14519

TITLE

CodeMeter Vulnerability regarding same-origin policy violation in

Trust: 0.8

sources: JVNDB: JVNDB-2020-011223

DESCRIPTION

This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515. CodeMeter Exists in a vulnerability related to same-origin policy violations.Information may be tampered with. Siemens SIMATIC WinCC OA (Open Architecture) is a set of SCADA system of Siemens (Siemens), Germany, and it is also an integral part of HMI series. The system is mainly suitable for industries such as rail transit, building automation and public power supply. Information Server is used to report and visualize the process data stored in the Process Historian. SINEC INS is a web-based application that combines various network services in one tool. Many Siemens products have security vulnerabilities. Attackers can use vulnerabilities to change or create license files

Trust: 2.16

sources: NVD: CVE-2020-14519 // JVNDB: JVNDB-2020-011223 // CNVD: CNVD-2020-51241

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-51241

AFFECTED PRODUCTS

vendor:	wibu	model:	codemeter	scope:	lt	version:	7.00	Trust: 1.0
vendor:	wibu	model:	codemeter	scope:	-	version:	-	Trust: 0.8
vendor:	wibu	model:	codemeter	scope:	eq	version:	7.00	Trust: 0.8
vendor:	wibu	model:	codemeter	scope:	eq	version:	-	Trust: 0.8
vendor:	siemens	model:	sinec ins	scope:	-	version:	-	Trust: 0.6
vendor:	siemens	model:	sinema remote connect	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // NVD: CVE-2020-14519

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-14519
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-14519
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-51241
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202009-486
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-14519
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-51241
severity:	HIGH
baseScore:	9.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-14519
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2020-14519
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // CNNVD: CNNVD-202009-486 // NVD: CVE-2020-14519

PROBLEMTYPE DATA

problemtype:	CWE-346	Trust: 1.0
problemtype:	Same-origin policy violation (CWE-346) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-011223 // NVD: CVE-2020-14519

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-486

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202009-486

PATCH

title:	CodeMeter	url:	https://www.wibu.com/products/codemeter.html	Trust: 0.8
title:	Patch for Multiple Siemens products verification error vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/233347	Trust: 0.6
title:	Wibu-Systems AG CodeMeter Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=127907	Trust: 0.6

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // CNNVD: CNNVD-202009-486

EXTERNAL IDS

db:	NVD	id:	CVE-2020-14519	Trust: 3.8
db:	ICS CERT	id:	ICSA-20-203-01	Trust: 2.4
db:	JVN	id:	JVNVU90770748	Trust: 0.8
db:	JVN	id:	JVNVU94568336	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-011223	Trust: 0.8
db:	SIEMENS	id:	SSA-455843	Trust: 0.6
db:	CNVD	id:	CNVD-2020-51241	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3076.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3076.3	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3076	Trust: 0.6
db:	CS-HELP	id:	SB2022021806	Trust: 0.6
db:	CNNVD	id:	CNNVD-202009-486	Trust: 0.6

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // CNNVD: CNNVD-202009-486 // NVD: CVE-2020-14519

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14519	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu94568336/	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu90770748/	Trust: 0.8
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-455843.pdf	Trust: 0.6
url:	https://vigilance.fr/vulnerability/siemens-simatic-six-vulnerabilities-via-wibu-systems-codemeter-runtime-33282	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022021806	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3076.2/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3076.3/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3076/	Trust: 0.6

sources: CNVD: CNVD-2020-51241 // JVNDB: JVNDB-2020-011223 // CNNVD: CNNVD-202009-486 // NVD: CVE-2020-14519

SOURCES

db:	CNVD	id:	CNVD-2020-51241
db:	JVNDB	id:	JVNDB-2020-011223
db:	CNNVD	id:	CNNVD-202009-486
db:	NVD	id:	CVE-2020-14519

LAST UPDATE DATE

2024-08-14T13:01:37.325000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-51241	date:	2020-09-10T00:00:00
db:	JVNDB	id:	JVNDB-2020-011223	date:	2022-03-15T05:12:00
db:	CNNVD	id:	CNNVD-202009-486	date:	2022-02-21T00:00:00
db:	NVD	id:	CVE-2020-14519	date:	2020-09-22T18:07:41.903

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-51241	date:	2020-09-10T00:00:00
db:	JVNDB	id:	JVNDB-2020-011223	date:	2021-03-24T00:00:00
db:	CNNVD	id:	CNNVD-202009-486	date:	2020-09-08T00:00:00
db:	NVD	id:	CVE-2020-14519	date:	2020-09-16T20:15:13.723