CVE-2020-6652 - OpenCVE

Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Eaton	Intelligent Power Manager

Configuration 1 [-]

cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf
https://www.zerodayinitiative.com/advisories/ZDI-20-650/

History

Tue, 17 Sep 2024 00:00:00 +0000

Type	Values Removed	Values Added
Title	Incorrect privilege assignment allowing non-admin users to upload config files	Incorrect privilege assignment allowing non-admin users to upload config files

MITRE

Status: PUBLISHED

Assigner: Eaton

Published: 2020-05-07T15:58:19.816624Z

Updated: 2024-09-16T23:45:31.152Z

Reserved: 2020-01-09T00:00:00

Link: CVE-2020-6652

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-05-07T16:15:11.390

Modified: 2020-05-12T22:15:12.607

Link: CVE-2020-6652

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Intelligent Power manager (IPM)", "vendor": "Eaton", "versions": [{"lessThanOrEqual": "1.67", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Eaton would like to thank Sivathmican Sivakumaran for working with Eaton and helping Eaton in releasing more robust and secure products."}], "datePublic": "2020-05-04T00:00:00", "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266 Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-05-12T21:06:24", "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "shortName": "Eaton"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-650/"}], "solutions": [{"lang": "en", "value": "Upgrade to the latest version 1.68 available on eaton.com"}], "source": {"advisory": "ETN-VA-202-1004", "defect": ["ETN-VA-202-1004"], "discovery": "UNKNOWN"}, "title": "Incorrect privilege assignment allowing non-admin users to upload config files", "workarounds": [{"lang": "en", "value": "Remove users which are not part of the origination and having accounts in the software. \nBlock port 4679 & 4680 at enterprise network firewall to prevent malicious users from accessing the software outside the facility."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "CybersecurityCOE@eaton.com", "DATE_PUBLIC": "2020-05-04T10:54:00.000Z", "ID": "CVE-2020-6652", "STATE": "PUBLIC", "TITLE": "Incorrect privilege assignment allowing non-admin users to upload config files"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Intelligent Power manager (IPM)", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.67"}]}}]}, "vendor_name": "Eaton"}]}}, "credit": [{"lang": "eng", "value": "Eaton would like to thank Sivathmican Sivakumaran for working with Eaton and helping Eaton in releasing more robust and secure products."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-266 Incorrect Privilege Assignment"}]}]}, "references": {"reference_data": [{"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf", "refsource": "MISC", "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"}, {"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-650/", "refsource": "MISC", "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-650/"}]}, "solution": [{"lang": "en", "value": "Upgrade to the latest version 1.68 available on eaton.com"}], "source": {"advisory": "ETN-VA-202-1004", "defect": ["ETN-VA-202-1004"], "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Remove users which are not part of the origination and having accounts in the software. \nBlock port 4679 & 4680 at enterprise network firewall to prevent malicious users from accessing the software outside the facility."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:11:04.682Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-650/"}]}]}, "cveMetadata": {"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "assignerShortName": "Eaton", "cveId": "CVE-2020-6652", "datePublished": "2020-05-07T15:58:19.816624Z", "dateReserved": "2020-01-09T00:00:00", "dateUpdated": "2024-09-16T23:45:31.152Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "E94000EF-A58E-4E02-93B2-2FA18D6DD0E6", "versionEndIncluding": "1.67", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters."}, {"lang": "es", "value": "Una vulnerabilidad de Asignaci\u00f3n de Privilegios Incorrecta en Eaton Intelligent Power Manager (IPM) versiones v1.67 y anteriores, permite a los usuarios no administradores cargar los archivos de configuraci\u00f3n del sistema mediante el env\u00edo de peticiones especialmente dise\u00f1adas. Esto puede resultar en que usuarios no administradores manipulen las configuraciones del sistema al cargar las configuraciones con par\u00e1metros incorrectos."}], "id": "CVE-2020-6652", "lastModified": "2020-05-12T22:15:12.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}, "published": "2020-05-07T16:15:11.390", "references": [{"source": "CybersecurityCOE@eaton.com", "tags": ["Vendor Advisory"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf"}, {"source": "CybersecurityCOE@eaton.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-650/"}], "sourceIdentifier": "CybersecurityCOE@eaton.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-266"}], "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}