var-202005-0948
Vulnerability from variot
Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application. Eaton's Intelligent Power Manager (IPM) There are input verification vulnerabilities, and OS Command injection vulnerability existsInformation is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Eaton Intelligent Power Manager. Authentication is required to exploit this vulnerability.The specific flaw exists within system_srv.js. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root on Linux or SYSTEM on Windows.
Eaton IPM 1.67 and previous versions have an input validation error vulnerability, which stems from the program's failure to correctly verify the name of the configuration file
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202005-0948",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "intelligent power manager",
"scope": "lte",
"trust": 1.0,
"vendor": "eaton",
"version": "1.67"
},
{
"model": "intelligent power manager",
"scope": "eq",
"trust": 0.9,
"vendor": "eaton",
"version": "1.67"
},
{
"model": "intelligent power manager",
"scope": null,
"trust": 0.7,
"vendor": "eaton",
"version": null
},
{
"model": "intelligent power manager",
"scope": "lte",
"trust": 0.6,
"vendor": "eaton",
"version": "\u003c=1.67"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-649"
},
{
"db": "CNVD",
"id": "CNVD-2020-35496"
},
{
"db": "VULMON",
"id": "CVE-2020-6651"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"db": "NVD",
"id": "CVE-2020-6651"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:eaton:intelligent_power_manager",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sivathmican Sivakumaran of Trend Micro Zero Day Initiative",
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-649"
}
],
"trust": 0.7
},
"cve": "CVE-2020-6651",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.8,
"id": "CVE-2020-6651",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2020-005112",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.8,
"id": "CNVD-2020-35496",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.3,
"id": "CVE-2020-6651",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "CybersecurityCOE@eaton.com",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2020-6651",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.3,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-005112",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2020-6651",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-6651",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CybersecurityCOE@eaton.com",
"id": "CVE-2020-6651",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-005112",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2020-6651",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2020-35496",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202005-253",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2020-6651",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-649"
},
{
"db": "CNVD",
"id": "CNVD-2020-35496"
},
{
"db": "VULMON",
"id": "CVE-2020-6651"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-253"
},
{
"db": "NVD",
"id": "CVE-2020-6651"
},
{
"db": "NVD",
"id": "CVE-2020-6651"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Improper Input Validation in Eaton\u0027s Intelligent Power Manager (IPM) v 1.67 \u0026 prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application. Eaton\u0027s Intelligent Power Manager (IPM) There are input verification vulnerabilities, and OS Command injection vulnerability existsInformation is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Eaton Intelligent Power Manager. Authentication is required to exploit this vulnerability.The specific flaw exists within system_srv.js. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root on Linux or SYSTEM on Windows. \n\r\n\r\nEaton IPM 1.67 and previous versions have an input validation error vulnerability, which stems from the program\u0027s failure to correctly verify the name of the configuration file",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-6651"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"db": "ZDI",
"id": "ZDI-20-649"
},
{
"db": "CNVD",
"id": "CNVD-2020-35496"
},
{
"db": "VULMON",
"id": "CVE-2020-6651"
}
],
"trust": 2.88
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-6651",
"trust": 3.8
},
{
"db": "ZDI",
"id": "ZDI-20-649",
"trust": 2.4
},
{
"db": "ICS CERT",
"id": "ICSA-20-133-01",
"trust": 1.4
},
{
"db": "JVN",
"id": "JVNVU91250818",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005112",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-9854",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2020-35496",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1678",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "47235",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202005-253",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2020-6651",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-649"
},
{
"db": "CNVD",
"id": "CNVD-2020-35496"
},
{
"db": "VULMON",
"id": "CVE-2020-6651"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-253"
},
{
"db": "NVD",
"id": "CVE-2020-6651"
}
]
},
"id": "VAR-202005-0948",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-35496"
}
],
"trust": 1.1833333000000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-35496"
}
]
},
"last_update_date": "2024-11-23T22:05:37.964000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ETN-VA-2020-1004",
"trust": 0.8,
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"
},
{
"title": "Eaton has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-133-01"
},
{
"title": "Patch for Eaton Intelligent Power Manager Input Verification Error Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/224035"
},
{
"title": "Eaton Intelligent Power Manager Enter the fix for the verification error vulnerability",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=118624"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-649"
},
{
"db": "CNVD",
"id": "CNVD-2020-35496"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-253"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.8
},
{
"problemtype": "CWE-20",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"db": "NVD",
"id": "CVE-2020-6651"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-133-01"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-6651"
},
{
"trust": 1.7,
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"
},
{
"trust": 1.7,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-649/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6651"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu91250818/"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/47235"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1678/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-649"
},
{
"db": "CNVD",
"id": "CNVD-2020-35496"
},
{
"db": "VULMON",
"id": "CVE-2020-6651"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-253"
},
{
"db": "NVD",
"id": "CVE-2020-6651"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-20-649"
},
{
"db": "CNVD",
"id": "CNVD-2020-35496"
},
{
"db": "VULMON",
"id": "CVE-2020-6651"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-253"
},
{
"db": "NVD",
"id": "CVE-2020-6651"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-05-12T00:00:00",
"db": "ZDI",
"id": "ZDI-20-649"
},
{
"date": "2020-07-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-35496"
},
{
"date": "2020-05-07T00:00:00",
"db": "VULMON",
"id": "CVE-2020-6651"
},
{
"date": "2020-06-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"date": "2020-05-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202005-253"
},
{
"date": "2020-05-07T16:15:11.313000",
"db": "NVD",
"id": "CVE-2020-6651"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-05-12T00:00:00",
"db": "ZDI",
"id": "ZDI-20-649"
},
{
"date": "2020-07-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-35496"
},
{
"date": "2020-05-12T00:00:00",
"db": "VULMON",
"id": "CVE-2020-6651"
},
{
"date": "2020-06-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-005112"
},
{
"date": "2020-07-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202005-253"
},
{
"date": "2024-11-21T05:36:05.900000",
"db": "NVD",
"id": "CVE-2020-6651"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202005-253"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Eaton\u0027s Intelligent Power Manager Input verification vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-005112"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202005-253"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.