{"containers":{"cna":{"affected":[{"product":"P+F Comtrol RocketLinx","vendor":"Pepperl+Fuchs","versions":[{"status":"affected","version":"ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F,  ES8510-XTE, ES9528/ES9528-XT all"},{"lessThan":"2.1.1","status":"affected","version":"ES7510-XT","versionType":"custom"},{"lessThan":"3.1.1","status":"affected","version":"ES8510","versionType":"custom"}]},{"product":"JetNet","vendor":"Korenix","versions":[{"lessThanOrEqual":"V1.0","status":"affected","version":"5428G-20SFP","versionType":"custom"},{"lessThanOrEqual":"V1.1","status":"affected","version":"5810G","versionType":"custom"},{"lessThanOrEqual":"V2.3b","status":"affected","version":"4706F","versionType":"custom"},{"lessThanOrEqual":"V3.0b","status":"affected","version":"4510","versionType":"custom"},{"lessThan":"V1.6","status":"affected","version":"5310","versionType":"custom"}]},{"product":"PMI-110-F2G","vendor":"Westermo","versions":[{"lessThan":"V1.8","status":"affected","version":"unspecified","versionType":"custom"}]}],"credits":[{"lang":"en","value":"T. Weber (SEC Consult Vulnerability Lab)"},{"lang":"en","value":"Coordinated by CERT@VDE"}],"datePublic":"2020-10-07T00:00:00.000Z","descriptions":[{"lang":"en","value":"Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) allows unauthenticated device administration."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-306","description":"CWE-306 Missing Authentication for Critical Function","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2022-02-04T19:06:13.000Z","orgId":"270ccfa6-a436-4e77-922e-914ec3a9685c","shortName":"CERTVDE"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://cert.vde.com/de-de/advisories/vde-2020-040"},{"name":"20210601 SEC Consult SA-20210601-0 :: Multiple critical vulnerabilities in Korenix Technology JetNet Series","tags":["mailing-list","x_refsource_FULLDISC"],"url":"http://seclists.org/fulldisclosure/2021/Jun/0"},{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/"},{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html"}],"solutions":[{"lang":"en","value":"An external protective measure is required.\n\n1) Traffic from untrusted networks to the device should be blocked by a firewall. Especially\ntraffic targeting the administration webpage.\n\n2) Administrator and user access should be protected by a secure password and only be\navailable to a very limited group of people."}],"source":{"advisory":"VDE-2020-040","discovery":"EXTERNAL"},"title":"Pepperl+Fuchs improper authorization affects multiple Comtrol RocketLinx products","x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"info@cert.vde.com","DATE_PUBLIC":"2020-10-07T13:10:00.000Z","ID":"CVE-2020-12500","STATE":"PUBLIC","TITLE":"Pepperl+Fuchs improper authorization affects multiple Comtrol RocketLinx products"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"P+F Comtrol RocketLinx","version":{"version_data":[{"version_affected":"=","version_name":"ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F,  ES8510-XTE, ES9528/ES9528-XT","version_value":"all"},{"version_affected":"<","version_name":"ES7510-XT","version_value":"2.1.1"},{"version_affected":"<","version_name":"ES8510","version_value":"3.1.1"}]}}]},"vendor_name":"Pepperl+Fuchs"},{"product":{"product_data":[{"product_name":"JetNet","version":{"version_data":[{"version_affected":"<=","version_name":"5428G-20SFP","version_value":"V1.0"},{"version_affected":"<=","version_name":"5810G","version_value":"V1.1"},{"version_affected":"<=","version_name":"4706F","version_value":"V2.3b"},{"version_affected":"<=","version_name":"4510","version_value":"V3.0b"},{"version_affected":"<","version_name":"5310","version_value":"V1.6"}]}}]},"vendor_name":"Korenix"},{"product":{"product_data":[{"product_name":"PMI-110-F2G","version":{"version_data":[{"version_affected":"<","version_value":"V1.8"}]}}]},"vendor_name":"Westermo"}]}},"credit":[{"lang":"eng","value":"T. Weber (SEC Consult Vulnerability Lab)"},{"lang":"eng","value":"Coordinated by CERT@VDE"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Improper Authorization vulnerability of Pepperl+Fuchs P+F Comtrol RocketLinx ES7510-XT, ES8509-XT, ES8510-XT, ES9528-XTv2, ES7506, ES7510, ES7528, ES8508, ES8508F, ES8510, ES8510-XTE, ES9528/ES9528-XT (all versions) allows unauthenticated device administration."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-306 Missing Authentication for Critical Function"}]}]},"references":{"reference_data":[{"name":"https://cert.vde.com/de-de/advisories/vde-2020-040","refsource":"CONFIRM","url":"https://cert.vde.com/de-de/advisories/vde-2020-040"},{"name":"20210601 SEC Consult SA-20210601-0 :: Multiple critical vulnerabilities in Korenix Technology JetNet Series","refsource":"FULLDISC","url":"http://seclists.org/fulldisclosure/2021/Jun/0"},{"name":"http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html"},{"name":"https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/","refsource":"CONFIRM","url":"https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/"},{"name":"http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html"}]},"solution":[{"lang":"en","value":"An external protective measure is required.\n\n1) Traffic from untrusted networks to the device should be blocked by a firewall. Especially\ntraffic targeting the administration webpage.\n\n2) Administrator and user access should be protected by a secure password and only be\navailable to a very limited group of people."}],"source":{"advisory":"VDE-2020-040","discovery":"EXTERNAL"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T11:56:52.048Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://cert.vde.com/de-de/advisories/vde-2020-040"},{"name":"20210601 SEC Consult SA-20210601-0 :: Multiple critical vulnerabilities in Korenix Technology JetNet Series","tags":["mailing-list","x_refsource_FULLDISC","x_transferred"],"url":"http://seclists.org/fulldisclosure/2021/Jun/0"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/162903/Korenix-CSRF-Backdoor-Accounts-Command-Injection-Missing-Authentication.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-westermo-pepperl-fuchs/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/165875/Korenix-Technology-JetWave-CSRF-Command-Injection-Missing-Authentication.html"}]}]},"cveMetadata":{"assignerOrgId":"270ccfa6-a436-4e77-922e-914ec3a9685c","assignerShortName":"CERTVDE","cveId":"CVE-2020-12500","datePublished":"2020-10-15T18:42:54.978Z","dateReserved":"2020-04-30T00:00:00.000Z","dateUpdated":"2024-09-17T01:10:49.072Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}