CVE-2020-12518

On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an attacker can use the knowledge gained by reading the insufficiently protected sensitive information to plan further attacks.

CVSS v3 5.5 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://cert.vde.com/en-us/advisories/vde-2020-049	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:h:phoenixcontact:axc_f_1152:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:h:phoenixcontact:axc_f_2152:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:h:phoenixcontact:axc_f_3152:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:h:phoenixcontact:rfc_4072s:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:h:phoenixcontact:axc_f_2152_starterkit:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:h:phoenixcontact:plcnext_technology_starterkit:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*

History

No history.

Information

Published : 2020-12-17 23:15

Updated : 2020-12-21 18:30

NVD link : CVE-2020-12518

Mitre link : CVE-2020-12518

CVE.ORG link : CVE-2020-12518

JSON object : View

Products Affected

phoenixcontact

axc_f_3152
rfc_4072s
axc_f_2152_starterkit
plcnext_technology_starterkit
axc_f_2152
plcnext_firmware
axc_f_1152

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2020-12518", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "info@cert.vde.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-12-17T23:15:12.983", "references": [{"url": "https://cert.vde.com/en-us/advisories/vde-2020-049", "tags": ["Third Party Advisory"], "source": "info@cert.vde.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Secondary", "source": "info@cert.vde.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "On Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS an attacker can use the knowledge gained by reading the insufficiently protected sensitive information to plan further attacks."}, {"lang": "es", "value": "En Phoenix Contact PLCnext Control Devices versiones anteriores a 2021.0 LTS, un atacante puede utilizar los conocimientos adquiridos al leer la informaci\u00f3n confidencial que no est\u00e1 suficientemente protegida para planificar futuros ataques"}], "lastModified": "2020-12-21T18:30:55.453", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:axc_f_1152:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2474BD7-C447-4E07-A628-C729E376943D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*", "vulnerable": true, "matchCriteriaId": "8233F8C3-5D10-4FD6-B192-39535B7B464C", "versionEndExcluding": "2021.0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:axc_f_2152:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "AE2E6118-6587-444A-A143-9C3A1E6ED4FD"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*", "vulnerable": true, "matchCriteriaId": "8233F8C3-5D10-4FD6-B192-39535B7B464C", "versionEndExcluding": "2021.0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:axc_f_3152:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "57424998-4EAB-4682-BFC4-1D2A621514F4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*", "vulnerable": true, "matchCriteriaId": "8233F8C3-5D10-4FD6-B192-39535B7B464C", "versionEndExcluding": "2021.0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:rfc_4072s:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "0BF1EAD1-7C19-4A6E-BF87-EF3F7E526BD6"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*", "vulnerable": true, "matchCriteriaId": "8233F8C3-5D10-4FD6-B192-39535B7B464C", "versionEndExcluding": "2021.0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:axc_f_2152_starterkit:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "079A104B-2016-4830-80C1-3AB969106649"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*", "vulnerable": true, "matchCriteriaId": "8233F8C3-5D10-4FD6-B192-39535B7B464C", "versionEndExcluding": "2021.0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:plcnext_technology_starterkit:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "12BDD2FE-0D7C-4868-A5E4-B1004A5C217D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:plcnext_firmware:*:*:*:*:long_term_support:*:*:*", "vulnerable": true, "matchCriteriaId": "8233F8C3-5D10-4FD6-B192-39535B7B464C", "versionEndExcluding": "2021.0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "info@cert.vde.com"}