Details of VAR-202011-0705

ID

VAR-202011-0705

CVE

CVE-2020-26075

TITLE

Cisco IoT Field Network Director SQL injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-72729 // CNNVD: CNNVD-202011-1626

DESCRIPTION

A vulnerability in the REST API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to gain access to the back-end database of an affected device. The vulnerability is due to insufficient input validation of REST API requests that are made to an affected device. An attacker could exploit this vulnerability by crafting malicious API requests to the affected device. A successful exploit could allow the attacker to gain access to the back-end database of the affected device. Cisco IoT Field Network Director (IoT-FND) is an end-to-end Internet of Things management system from Cisco in the United States. The system has functions such as equipment management, asset tracking and smart metering

Trust: 2.79

sources: NVD: CVE-2020-26075 // JVNDB: JVNDB-2020-013473 // CNVD: CNVD-2020-72729 // CNNVD: CNNVD-202011-1626 // VULHUB: VHN-180117

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-72729

AFFECTED PRODUCTS

vendor:	cisco	model:	iot field network director	scope:	lt	version:	4.6.1	Trust: 1.6
vendor:	シスコシステムズ	model:	cisco iot field network director	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2020-72729 // JVNDB: JVNDB-2020-013473 // NVD: CVE-2020-26075

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-26075
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-26075
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-26075
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-72729
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202011-1626
value:	HIGH
Trust: 0.6
VULHUB:	VHN-180117
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-26075
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-72729
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-180117
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-26075
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-26075
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	3.4
version:	3.0
Trust: 1.0
NVD:	CVE-2020-26075
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-72729 // VULHUB: VHN-180117 // JVNDB: JVNDB-2020-013473 // CNNVD: CNNVD-202011-1626 // NVD: CVE-2020-26075 // NVD: CVE-2020-26075

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-180117 // JVNDB: JVNDB-2020-013473 // NVD: CVE-2020-26075

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-1626

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202011-1626

PATCH

title:	cisco-sa-FND-SQL-zEkBnL2h	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SQL-zEkBnL2h	Trust: 0.8
title:	Patch for Cisco IoT Field Network Director SQL injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/242260	Trust: 0.6

sources: CNVD: CNVD-2020-72729 // JVNDB: JVNDB-2020-013473

EXTERNAL IDS

db:	NVD	id:	CVE-2020-26075	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-013473	Trust: 0.8
db:	CNNVD	id:	CNNVD-202011-1626	Trust: 0.7
db:	CNVD	id:	CNVD-2020-72729	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4106	Trust: 0.6
db:	VULHUB	id:	VHN-180117	Trust: 0.1

sources: CNVD: CNVD-2020-72729 // VULHUB: VHN-180117 // JVNDB: JVNDB-2020-013473 // CNNVD: CNNVD-202011-1626 // NVD: CVE-2020-26075

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-26075	Trust: 2.0
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-fnd-sql-zekbnl2h	Trust: 1.7
url:	https://www.auscert.org.au/bulletins/esb-2020.4106/	Trust: 0.6

sources: CNVD: CNVD-2020-72729 // VULHUB: VHN-180117 // JVNDB: JVNDB-2020-013473 // CNNVD: CNNVD-202011-1626 // NVD: CVE-2020-26075

SOURCES

db:	CNVD	id:	CNVD-2020-72729
db:	VULHUB	id:	VHN-180117
db:	JVNDB	id:	JVNDB-2020-013473
db:	CNNVD	id:	CNNVD-202011-1626
db:	NVD	id:	CVE-2020-26075

LAST UPDATE DATE

2024-11-23T22:44:24.089000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-72729	date:	2020-12-19T00:00:00
db:	VULHUB	id:	VHN-180117	date:	2020-11-25T00:00:00
db:	JVNDB	id:	JVNDB-2020-013473	date:	2021-07-06T09:13:00
db:	CNNVD	id:	CNNVD-202011-1626	date:	2020-12-03T00:00:00
db:	NVD	id:	CVE-2020-26075	date:	2024-11-21T05:19:10.853

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-72729	date:	2020-12-19T00:00:00
db:	VULHUB	id:	VHN-180117	date:	2020-11-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-013473	date:	2021-07-06T00:00:00
db:	CNNVD	id:	CNNVD-202011-1626	date:	2020-11-18T00:00:00
db:	NVD	id:	CVE-2020-26075	date:	2020-11-18T18:15:11.637