CVE-2020-24680 - OpenCVE

In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Abb	Symphony \+ Historian Symphony \+ Operations

Configuration 1 [-]

OR	cpe:2.3:a:abb:symphony_\+_historian:3.0:::::::*
	cpe:2.3:a:abb:symphony_\+_historian:3.1:::::::*
	cpe:2.3:a:abb:symphony_\+_operations:1.1:::::::*
	cpe:2.3:a:abb:symphony_\+_operations:2.0:::::::*
	cpe:2.3:a:abb:symphony_\+_operations:2.1:sp1::::::
	cpe:2.3:a:abb:symphony_\+_operations:2.1:sp2::::::
	cpe:2.3:a:abb:symphony_\+_operations:3.0:::::::*
	cpe:2.3:a:abb:symphony_\+_operations:3.1:::::::*
	cpe:2.3:a:abb:symphony_\+_operations:3.2:::::::*
	cpe:2.3:a:abb:symphony_\+_operations:3.3:::::::*

No data.

References

Link	Providers
https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch
https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch

History

Tue, 17 Sep 2024 02:00:00 +0000

Type	Values Removed	Values Added
Title	Improper Credential Storage in Symphony Plus	Improper Credential Storage in Symphony Plus

MITRE

Status: PUBLISHED

Assigner: ABB

Published: 2020-12-22T21:18:37.038625Z

Updated: 2024-09-17T01:51:49.326Z

Reserved: 2020-08-26T00:00:00

Link: CVE-2020-24680

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-22T22:15:13.647

Modified: 2021-10-07T19:05:14.150

Link: CVE-2020-24680

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ABB Ability\u2122 Symphony\u00ae Plus Operations", "vendor": "ABB", "versions": [{"lessThan": "3.3 Service Pack 1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "2.1 SP2 Rollup 2", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "2.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "ABB Ability\u2122 Symphony\u00ae Plus Historian", "vendor": "ABB", "versions": [{"lessThan": "3.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-12-15T00:00:00", "descriptions": [{"lang": "en", "value": "In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-255", "description": "CWE-255 Credentials Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-22T21:18:37", "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"tags": ["x_refsource_MISC"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch"}], "source": {"advisory": "2PAA123980, 2PAA123982", "discovery": "INTERNAL"}, "title": "Improper Credential Storage in Symphony Plus", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@ch.abb.com", "DATE_PUBLIC": "2020-12-15T13:10:00.000Z", "ID": "CVE-2020-24680", "STATE": "PUBLIC", "TITLE": "Improper Credential Storage in Symphony Plus"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Operations", "version": {"version_data": [{"version_affected": "<", "version_value": "3.3 Service Pack 1"}, {"version_affected": "<", "version_value": "2.1 SP2 Rollup 2"}, {"version_affected": "<", "version_value": "2.2"}]}}, {"product_name": "ABB Ability\u2122 Symphony\u00ae Plus Historian", "version": {"version_data": [{"version_affected": "<", "version_value": "3.2"}]}}]}, "vendor_name": "ABB"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-255 Credentials Management"}]}]}, "references": {"reference_data": [{"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "MISC", "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "MISC", "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch"}]}, "source": {"advisory": "2PAA123980, 2PAA123982", "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:19:09.226Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch"}]}]}, "cveMetadata": {"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "assignerShortName": "ABB", "cveId": "CVE-2020-24680", "datePublished": "2020-12-22T21:18:37.038625Z", "dateReserved": "2020-08-26T00:00:00", "dateUpdated": "2024-09-17T01:51:49.326Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DAAEE275-0C2C-4D15-B0CB-B51706015769", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:symphony_\\+_historian:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "8A89B5F4-5BE7-4B0E-9ADF-46630017221C", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "21FB4D84-598C-486D-9A16-F24AEAA8B2A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "96371CD8-6C8A-459E-9A7E-34694B9F648E", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp1:*:*:*:*:*:*", "matchCriteriaId": "5D3E3D88-6544-459D-A5F3-AFB682FF8462", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:2.1:sp2:*:*:*:*:*:*", "matchCriteriaId": "ED64EBDB-B30B-49ED-88C9-7FC2B092FEA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "A6281EC9-5771-4B95-B18C-C11A0EABDA25", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "3B553708-205B-4B87-BFE9-1570C1AAE06F", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.2:*:*:*:*:*:*:*", "matchCriteriaId": "C8D38257-9207-4AED-818F-EA6E09393491", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:symphony_\\+_operations:3.3:*:*:*:*:*:*:*", "matchCriteriaId": "7EBFA7A6-0EF8-46FC-B92F-AF448531B997", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database."}, {"lang": "es", "value": "En S+ Operations y S+ Historian, las contrase\u00f1as de los usuarios internos (no usuarios de Windows) est\u00e1n cifradas pero almacenadas incorrectamente en una base de datos"}], "id": "CVE-2020-24680", "lastModified": "2021-10-07T19:05:14.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}, "published": "2020-12-22T22:15:13.647", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"source": "cybersecurity@ch.abb.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-255"}], "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}