CVE-2020-14478 - OpenCVE

A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact None

Availability Impact Partial

AV:L/AC:L/Au:N/C:C/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rockwellautomation	Factorytalk Services Platform

Configuration 1 [-]

cpe:2.3:a:rockwellautomation:factorytalk_services_platform:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-02-24T18:27:13.156004Z

Updated: 2024-09-17T00:06:14.874Z

Reserved: 2020-06-19T00:00:00

Link: CVE-2020-14478

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-24T19:15:08.760

Modified: 2022-03-04T16:58:03.797

Link: CVE-2020-14478

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "FactoryTalk Services Platform", "vendor": "Rockwell Automation", "versions": [{"lessThanOrEqual": "6.11.00", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-06-25T00:00:00", "descriptions": [{"lang": "en", "value": "A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-24T18:27:13", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-02"}], "source": {"discovery": "UNKNOWN"}, "title": "IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2020-06-25T16:00:00.000Z", "ID": "CVE-2020-14478", "STATE": "PUBLIC", "TITLE": "IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "FactoryTalk Services Platform", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.11.00"}]}}]}, "vendor_name": "Rockwell Automation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-02", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-02"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:46:34.656Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-14478", "datePublished": "2022-02-24T18:27:13.156004Z", "dateReserved": "2020-06-19T00:00:00", "dateUpdated": "2024-09-17T00:06:14.874Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:factorytalk_services_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B2D37A3-D26B-4C82-A090-49598EB21429", "versionEndIncluding": "6.11.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services."}, {"lang": "es", "value": "Un atacante local y autenticado podr\u00eda usar un ataque de tipo XML External Entity (XXE) para explotar archivos XML d\u00e9bilmente configurados para acceder a contenido local o remoto. Un ataque exitoso podr\u00eda causar una condici\u00f3n de denegaci\u00f3n de servicio y permitir al atacante leer arbitrariamente cualquier archivo local por medio de servicios a nivel de sistema"}], "id": "CVE-2020-14478", "lastModified": "2022-03-04T16:58:03.797", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 7.8, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-24T19:15:08.760", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}