Details of VAR-202101-0351

ID

VAR-202101-0351

CVE

CVE-2020-26990

TITLE

JT2Go and Teamcenter Visualization Vulnerability regarding mistyping in

Trust: 0.8

sources: JVNDB: JVNDB-2020-015254

DESCRIPTION

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1). Affected applications lack proper validation of user-supplied data when parsing ASM files. A crafted ASM file could trigger a type confusion condition. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-11897). JT2Go and Teamcenter Visualization Exists in a mistyped vulnerability. Zero Day Initiative To this vulnerability ZDI-CAN-11897 Was numbered.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of ASM files. JT2Go is a 3D JT viewing tool that allows users to view JT, PDF, Solid Edge, PLM XML and existing JT, VFZ, CGM, TIF data. Teamcenter visualization software enables companies to enhance their product lifecycle management (PLM) environment. The software enables corporate users to access documents, 2D drawings and 3D models in a single environment

Trust: 2.79

sources: NVD: CVE-2020-26990 // JVNDB: JVNDB-2020-015254 // ZDI: ZDI-21-055 // CNVD: CNVD-2021-02581

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-02581

AFFECTED PRODUCTS

vendor:	siemens	model:	jt2go	scope:	lt	version:	13.1.0.1	Trust: 1.0
vendor:	siemens	model:	teamcenter visualization	scope:	lt	version:	13.1.0.1	Trust: 1.0
vendor:	シーメンス	model:	teamcenter visualization	scope:	eq	version:	13.1.0.1	Trust: 0.8
vendor:	シーメンス	model:	jt2go	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	jt2go	scope:	-	version:	-	Trust: 0.7
vendor:	siemens	model:	jt2go	scope:	lt	version:	v13.1.0	Trust: 0.6
vendor:	siemens	model:	teamcenter visualization	scope:	lt	version:	v13.1.0	Trust: 0.6

sources: ZDI: ZDI-21-055 // CNVD: CNVD-2021-02581 // JVNDB: JVNDB-2020-015254 // NVD: CVE-2020-26990

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-26990
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-26990
value:	HIGH
Trust: 0.8
ZDI:	CVE-2020-26990
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2021-02581
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202101-847
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-26990
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-02581
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-26990
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-26990
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2020-26990
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-21-055 // CNVD: CNVD-2021-02581 // JVNDB: JVNDB-2020-015254 // CNNVD: CNNVD-202101-847 // NVD: CVE-2020-26990

PROBLEMTYPE DATA

problemtype:	CWE-843	Trust: 1.0
problemtype:	Wrong type (CWE-843) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-015254 // NVD: CVE-2020-26990

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-847

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202101-847

PATCH

title:	SSA-622830 Siemens Security Advisory	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf	Trust: 0.8
title:	Siemens has issued an update to correct this vulnerability.	url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-012-03/	Trust: 0.7
title:	Patch for JT2Go and Teamcenter Visualization incompatible type access resource vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/243979	Trust: 0.6
title:	Siemens Jt2go and Siemens Teamcenter Visualization Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139358	Trust: 0.6

sources: ZDI: ZDI-21-055 // CNVD: CNVD-2021-02581 // JVNDB: JVNDB-2020-015254 // CNNVD: CNNVD-202101-847

EXTERNAL IDS

db:	NVD	id:	CVE-2020-26990	Trust: 3.7
db:	ZDI	id:	ZDI-21-055	Trust: 3.1
db:	SIEMENS	id:	SSA-622830	Trust: 2.2
db:	SIEMENS	id:	SSA-663999	Trust: 1.6
db:	JVN	id:	JVNVU91685542	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-015254	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-11897	Trust: 0.7
db:	CNVD	id:	CNVD-2021-02581	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-040-06	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-012-03	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0125	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0495	Trust: 0.6
db:	CNNVD	id:	CNNVD-202101-847	Trust: 0.6

sources: ZDI: ZDI-21-055 // CNVD: CNVD-2021-02581 // JVNDB: JVNDB-2020-015254 // CNNVD: CNNVD-202101-847 // NVD: CVE-2020-26990

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-21-055/	Trust: 2.4
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf	Trust: 2.2
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-663999.pdf	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-26990	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu91685542/	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-012-03/	Trust: 0.7
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-012-03	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-06	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0495	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0125/	Trust: 0.6

sources: ZDI: ZDI-21-055 // CNVD: CNVD-2021-02581 // JVNDB: JVNDB-2020-015254 // CNNVD: CNNVD-202101-847 // NVD: CVE-2020-26990

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-21-055

SOURCES

db:	ZDI	id:	ZDI-21-055
db:	CNVD	id:	CNVD-2021-02581
db:	JVNDB	id:	JVNDB-2020-015254
db:	CNNVD	id:	CNNVD-202101-847
db:	NVD	id:	CVE-2020-26990

LAST UPDATE DATE

2024-08-14T13:18:06.824000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-055	date:	2021-01-14T00:00:00
db:	CNVD	id:	CNVD-2021-02581	date:	2021-01-13T00:00:00
db:	JVNDB	id:	JVNDB-2020-015254	date:	2021-09-15T08:31:00
db:	CNNVD	id:	CNNVD-202101-847	date:	2021-05-20T00:00:00
db:	NVD	id:	CVE-2020-26990	date:	2022-10-06T19:39:08.533

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-055	date:	2021-01-14T00:00:00
db:	CNVD	id:	CNVD-2021-02581	date:	2021-01-13T00:00:00
db:	JVNDB	id:	JVNDB-2020-015254	date:	2021-09-15T00:00:00
db:	CNNVD	id:	CNNVD-202101-847	date:	2021-01-12T00:00:00
db:	NVD	id:	CVE-2020-26990	date:	2021-01-12T21:15:17.260