CVE-2020-27298 - OpenCVE

Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:A/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Philips	Coronary Tools Dynamic Coronary Roadmap Interventional Workspot Stentboost Live Viewforum

Configuration 1 [-]

OR	cpe:2.3:a:philips:coronary_tools:1.0:::::::*
	cpe:2.3:a:philips:dynamic_coronary_roadmap:1.0:::::::*
	cpe:2.3:a:philips:interventional_workspot:1.3.2:::::::*
	cpe:2.3:a:philips:interventional_workspot:1.4.0:::::::*
	cpe:2.3:a:philips:interventional_workspot:1.4.1:::::::*
	cpe:2.3:a:philips:interventional_workspot:1.4.3:::::::*
	cpe:2.3:a:philips:interventional_workspot:1.4.5:::::::*
	cpe:2.3:a:philips:stentboost_live:1.0:::::::*
	cpe:2.3:a:philips:viewforum:6.3v1l10:::::::*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-01-20T19:27:22

Updated: 2024-08-04T16:11:36.582Z

Reserved: 2020-10-19T00:00:00

Link: CVE-2020-27298

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-26T18:15:45.990

Modified: 2021-02-02T19:03:37.457

Link: CVE-2020-27298

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Philips Interventional WorkSpot, Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live, ViewForum", "vendor": "n/a", "versions": [{"status": "affected", "version": "Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10)."}]}], "descriptions": [{"lang": "en", "value": "Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-20T19:27:22", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-27298", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Philips Interventional WorkSpot, Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live, ViewForum", "version": {"version_data": [{"version_value": "Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10)."}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:11:36.582Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-27298", "datePublished": "2021-01-20T19:27:22", "dateReserved": "2020-10-19T00:00:00", "dateUpdated": "2024-08-04T16:11:36.582Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:philips:coronary_tools:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0266F404-C684-4B08-A137-2572146C8406", "vulnerable": true}, {"criteria": "cpe:2.3:a:philips:dynamic_coronary_roadmap:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5AD07C53-5BF9-4F49-9F36-F456232B78A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:philips:interventional_workspot:1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "67EF6C48-A46E-465A-AC66-836B58089A0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:philips:interventional_workspot:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D997305F-1D4B-4F7C-94B2-FFB03189AD86", "vulnerable": true}, {"criteria": "cpe:2.3:a:philips:interventional_workspot:1.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "DD3D4DF4-D219-4DCD-B976-7695ABC711FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:philips:interventional_workspot:1.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "A0BDE433-D4FA-4B9C-9003-066573695740", "vulnerable": true}, {"criteria": "cpe:2.3:a:philips:interventional_workspot:1.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "F57F0899-5A6D-47E2-9CF2-3A4BE60CC0C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:philips:stentboost_live:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C376C250-4247-4E0E-987A-2C37445F500B", "vulnerable": true}, {"criteria": "cpe:2.3:a:philips:viewforum:6.3v1l10:*:*:*:*:*:*:*", "matchCriteriaId": "E3B747A1-197A-4F85-8581-FBF0AB77662E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component."}, {"lang": "es", "value": "Philips Interventional Workspot (versi\u00f3n 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (versi\u00f3n 1.0), ViewForum (versi\u00f3n 6.3V1L10). El software construye todo o parte de un comando del Sistema Operativo usando una entrada influenciada externamente de un componente aguas arriba, pero no neutraliza o neutraliza incorrectamente elementos especiales que podr\u00edan modificar el comando del Sistema Operativo deseado cuando se env\u00eda a un componente aguas abajo"}], "id": "CVE-2020-27298", "lastModified": "2021-02-02T19:03:37.457", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-26T18:15:45.990", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}