CVE-2020-6779 - OpenCVE

Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in complete compromise of the confidentiality and integrity of the stored data as well as a high availability impact on the database itself. In addition, an attacker may execute arbitrary commands on the underlying operating system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bosch	Fsm-2500 Fsm-2500 Firmware Fsm-5000 Fsm-5000 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:bosch:fsm-2500:-:*:*:*:*:*:*:*

cpe:2.3:o:bosch:fsm-2500_firmware:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:bosch:fsm-5000:-:*:*:*:*:*:*:*

cpe:2.3:o:bosch:fsm-5000_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://psirt.bosch.com/security-advisories/BOSCH-SA-332072-BT.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: bosch

Published: 2021-01-25T18:41:24.858611Z

Updated: 2024-09-16T22:30:56.636Z

Reserved: 2020-01-10T00:00:00

Link: CVE-2020-6779

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-26T18:16:07.803

Modified: 2021-02-03T01:29:42.877

Link: CVE-2020-6779

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "FSM-2500", "vendor": "Bosch", "versions": [{"lessThanOrEqual": "5.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "FSM-5000", "vendor": "Bosch", "versions": [{"lessThanOrEqual": "5.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-01-20T00:00:00", "descriptions": [{"lang": "en", "value": "Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in complete compromise of the confidentiality and integrity of the stored data as well as a high availability impact on the database itself. In addition, an attacker may execute arbitrary commands on the underlying operating system."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-25T18:41:24", "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c", "shortName": "bosch"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-332072-BT.html"}], "source": {"advisory": "BOSCH-SA-332072-BT", "discovery": "INTERNAL"}, "title": "Hard-coded Credentials in the Database of Bosch FSM-2500 Server and Bosch FSM-5000 Server", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@bosch.com", "DATE_PUBLIC": "2021-01-20", "ID": "CVE-2020-6779", "STATE": "PUBLIC", "TITLE": "Hard-coded Credentials in the Database of Bosch FSM-2500 Server and Bosch FSM-5000 Server"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "FSM-2500", "version": {"version_data": [{"version_affected": "<=", "version_value": "5.2"}]}}, {"product_name": "FSM-5000", "version": {"version_data": [{"version_affected": "<=", "version_value": "5.2"}]}}]}, "vendor_name": "Bosch"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in complete compromise of the confidentiality and integrity of the stored data as well as a high availability impact on the database itself. In addition, an attacker may execute arbitrary commands on the underlying operating system."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798 Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-332072-BT.html", "refsource": "MISC", "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-332072-BT.html"}]}, "source": {"advisory": "BOSCH-SA-332072-BT", "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:11:04.732Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-332072-BT.html"}]}]}, "cveMetadata": {"assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c", "assignerShortName": "bosch", "cveId": "CVE-2020-6779", "datePublished": "2021-01-25T18:41:24.858611Z", "dateReserved": "2020-01-10T00:00:00", "dateUpdated": "2024-09-16T22:30:56.636Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:bosch:fsm-2500:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E6F9D1B-FF23-4C52-B5E3-3727AEEBA394", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:bosch:fsm-2500_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DABF317D-63EF-4AC6-B5E5-58DB5598FB6E", "versionEndIncluding": "5.2", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:bosch:fsm-5000:-:*:*:*:*:*:*:*", "matchCriteriaId": "91E26C5C-C032-4650-8BC1-C6D78A1090F1", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:bosch:fsm-5000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE15D170-F377-4A15-AC5C-10974D034FFE", "versionEndIncluding": "5.2", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in complete compromise of the confidentiality and integrity of the stored data as well as a high availability impact on the database itself. In addition, an attacker may execute arbitrary commands on the underlying operating system."}, {"lang": "es", "value": "El uso de credenciales embebidas en la base de datos del servidor Bosch FSM-2500 y el servidor Bosch FSM-5000 hasta la versi\u00f3n 5.2 incluy\u00e9ndola, permite a un atacante remoto no autenticado iniciar sesi\u00f3n en la base de datos con privilegios de administrador. Esto puede resultar en un compromiso total de la confidencialidad e integridad de los datos almacenados, as\u00ed como un impacto de la alta disponibilidad en la propia base de datos. Adem\u00e1s, un atacante puede ejecutar comandos arbitrarios en el sistema operativo subyacente"}], "id": "CVE-2020-6779", "lastModified": "2021-02-03T01:29:42.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "psirt@bosch.com", "type": "Secondary"}]}, "published": "2021-01-26T18:16:07.803", "references": [{"source": "psirt@bosch.com", "tags": ["Vendor Advisory"], "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-332072-BT.html"}], "sourceIdentifier": "psirt@bosch.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "psirt@bosch.com", "type": "Secondary"}]}