{"containers": {"cna": {"affected": [{"product": "Intelligent Power manager (IPM)", "vendor": "Eaton", "versions": [{"lessThanOrEqual": "1.67", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Eaton would like to thank Sivathmican Sivakumaran for working with Eaton and helping Eaton in releasing more robust and secure products."}], "datePublic": "2020-05-04T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-05-12T21:06:24.000Z", "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "shortName": "Eaton"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-649/"}], "solutions": [{"lang": "en", "value": "Update the software to latest version 1.68."}], "source": {"advisory": "ETN-VA-202-1004", "defect": ["ETN-VA-202-1004"], "discovery": "EXTERNAL"}, "title": "Command injection via specially crafted file name during config file upload", "workarounds": [{"lang": "en", "value": "Block ports 4679 & 4680 at enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "CybersecurityCOE@eaton.com", "DATE_PUBLIC": "2020-05-04T10:43:00.000Z", "ID": "CVE-2020-6651", "STATE": "PUBLIC", "TITLE": "Command injection via specially crafted file name during config file upload"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Intelligent Power manager (IPM)", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.67"}]}}]}, "vendor_name": "Eaton"}]}}, "credit": [{"lang": "eng", "value": "Eaton would like to thank Sivathmican Sivakumaran for working with Eaton and helping Eaton in releasing more robust and secure products."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf", "refsource": "MISC", "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"}, {"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-649/", "refsource": "MISC", "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-649/"}]}, "solution": [{"lang": "en", "value": "Update the software to latest version 1.68."}], "source": {"advisory": "ETN-VA-202-1004", "defect": ["ETN-VA-202-1004"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Block ports 4679 & 4680 at enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:11:05.013Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-649/"}]}]}, "cveMetadata": {"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "assignerShortName": "Eaton", "cveId": "CVE-2020-6651", "datePublished": "2020-05-07T15:58:21.660Z", "dateReserved": "2020-01-09T00:00:00.000Z", "dateUpdated": "2024-09-16T23:06:52.876Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "E94000EF-A58E-4E02-93B2-2FA18D6DD0E6", "versionEndIncluding": "1.67", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application."}, {"lang": "es", "value": "La Comprobaci\u00f3n de Entrada Inapropiada en Eaton Intelligent Power Manager (IPM) versiones v1.67 y anteriores, en el nombre del archivo durante la funcionalidad de importaci\u00f3n del archivo de configuraci\u00f3n permite a atacantes realizar la inyecci\u00f3n de comandos o la ejecuci\u00f3n del c\u00f3digo por medio de nombres de archivo especialmente dise\u00f1ados mientras se carga el archivo de configuraci\u00f3n en la aplicaci\u00f3n."}], "id": "CVE-2020-6651", "lastModified": "2024-11-21T05:36:05.900", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-07T16:15:11.313", "references": [{"source": "CybersecurityCOE@eaton.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"}, {"source": "CybersecurityCOE@eaton.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-649/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-649/"}], "sourceIdentifier": "CybersecurityCOE@eaton.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}