CVE-2020-10626 - OpenCVE

In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled search path element vulnerability could allow a malicious DLL file with the same name of any resident DLLs inside the software installation to execute arbitrary code.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fazecast	Jserialcomm
Schneider-electric	Ecostruxure It Gateway

Configuration 1 [-]

cpe:2.3:a:fazecast:jserialcomm:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:schneider-electric:ecostruxure_it_gateway::::::::
	cpe:2.3:a:schneider-electric:ecostruxure_it_gateway::::::::
	cpe:2.3:a:schneider-electric:ecostruxure_it_gateway:1.7.0.64:::::::*

No data.

References

Link	Providers
https://www.us-cert.gov/ics/advisories/ICSA2012601

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2020-05-14T15:52:13

Updated: 2024-08-04T11:06:10.152Z

Reserved: 2020-03-16T00:00:00

Link: CVE-2020-10626

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-05-14T16:15:12.530

Modified: 2022-01-31T19:33:27.307

Link: CVE-2020-10626

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Fazecast jSerialComm, Version 2.2.2 and prior", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fazecast jSerialComm, Version 2.2.2 and prior"}]}], "descriptions": [{"lang": "en", "value": "In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled search path element vulnerability could allow a malicious DLL file with the same name of any resident DLLs inside the software installation to execute arbitrary code."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-05-14T15:52:13", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/ICSA2012601"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-10626", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fazecast jSerialComm, Version 2.2.2 and prior", "version": {"version_data": [{"version_value": "Fazecast jSerialComm, Version 2.2.2 and prior"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled search path element vulnerability could allow a malicious DLL file with the same name of any resident DLLs inside the software installation to execute arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/ICSA2012601", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/ICSA2012601"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:06:10.152Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/ICSA2012601"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-10626", "datePublished": "2020-05-14T15:52:13", "dateReserved": "2020-03-16T00:00:00", "dateUpdated": "2024-08-04T11:06:10.152Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fazecast:jserialcomm:*:*:*:*:*:*:*:*", "matchCriteriaId": "80603734-EA55-4B86-B24E-2DE775E6067A", "versionEndIncluding": "2.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_it_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4A11B09-BD0A-424E-91F7-47B9A1BC8A39", "versionEndIncluding": "1.5.2.28", "versionStartIncluding": "1.5.0.66", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_it_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "C26B65FF-5513-4F91-ABE0-456830E874A8", "versionEndIncluding": "1.6.2.14", "versionStartIncluding": "1.6.0.39", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_it_gateway:1.7.0.64:*:*:*:*:*:*:*", "matchCriteriaId": "6446688E-74B1-4B24-8D4B-F774F22CD9A6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled search path element vulnerability could allow a malicious DLL file with the same name of any resident DLLs inside the software installation to execute arbitrary code."}, {"lang": "es", "value": "En Fazecast jSerialComm, Versi\u00f3n 2.2.2 y anteriores, una vulnerabilidad de elemento de ruta de b\u00fasqueda no controlada podr\u00eda permitir que un archivo DLL malicioso, con el mismo nombre de cualquiera de las DLL residentes dentro de la instalaci\u00f3n del software, ejecute c\u00f3digo arbitrario."}], "id": "CVE-2020-10626", "lastModified": "2022-01-31T19:33:27.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-14T16:15:12.530", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/ICSA2012601"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-427"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}