CVE-2020-12048

{"id": "CVE-2020-12048", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-06-29T14:15:11.990", "references": [{"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."}, {"lang": "es", "value": "Phoenix Hemodialysis Delivery System SW versiones 3.36 y 3.40, el dispositivo Phoenix Hemodialysis no admite el cifrado de datos en tr\u00e1nsito (por ejemplo, TLS/SSL) al transmitir datos de tratamiento y prescripci\u00f3n en la red entre el sistema Phoenix y la herramienta de gesti\u00f3n de datos de di\u00e1lisis Exalis. Un atacante con acceso a la red podr\u00eda observar el tratamiento confidencial y los datos de prescripci\u00f3n enviados entre el sistema Phoenix y la herramienta Exalis"}], "lastModified": "2020-07-16T13:12:20.120", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D4EE9264-DAE6-4010-A27E-DFA71C1CD165"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1809D598-FB9F-4D54-8B3F-119B3A549F05"}, {"criteria": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B2F08A4-7907-400E-9D60-812A2F0BA929"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}