CVE-2020-8478

Insufficient protection of the inter-process communication functions in ABB System 800xA products OPC Server for AC 800M, MMS Server for AC 800M and Base Software for SoftControl (all published versions) enables an attacker authenticated on the local system to inject data, affecting the online view of runtime data shown in Control Builder.

CVSS v3 3.3 LOW
CVSS v2.0 2.1 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:abb:mms_server::::::::
	cpe:2.3:a:abb:opc_server::::::::

cpe:2.3:h:abb:ac800m:-:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:abb:base_software:*:*:*:*:*:softcontrol:*:*

History

No history.

Information

Published : 2020-04-29 02:15

Updated : 2020-05-13 18:48

NVD link : CVE-2020-8478

Mitre link : CVE-2020-8478

CVE.ORG link : CVE-2020-8478

JSON object : View

Products Affected

abb

opc_server
ac800m
base_software
mms_server

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2020-8478", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "cybersecurity@ch.abb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.8}]}, "published": "2020-04-29T02:15:11.763", "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&LanguageCode=en&DocumentPartId=&Action=Launch", "tags": ["Vendor Advisory"], "source": "cybersecurity@ch.abb.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}, {"type": "Secondary", "source": "cybersecurity@ch.abb.com", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "Insufficient protection of the inter-process communication functions in ABB System 800xA products OPC Server for AC 800M, MMS Server for AC 800M and Base Software for SoftControl (all published versions) enables an attacker authenticated on the local system to inject data, affecting the online view of runtime data shown in Control Builder."}, {"lang": "es", "value": "Una protecci\u00f3n insuficiente de las funciones de comunicaci\u00f3n entre procesos en los productos OPC Server para AC 800M, MMS Server para AC 800M y Base Software para SoftControl (todas las versiones publicadas) de ABB System 800xA, permite a un atacante autenticado en el sistema local inyectar datos, afectando la visualizaci\u00f3n en l\u00ednea de los datos del tiempo de ejecuci\u00f3n que se muestran en Control Builder."}], "lastModified": "2020-05-13T18:48:00.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:abb:mms_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "296927D5-AF68-488F-A606-818ACD253B75"}, {"criteria": "cpe:2.3:a:abb:opc_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9BF1B4E-225B-4A2C-A5EB-996A6CCA1F79"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abb:ac800m:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "18F5825D-A99A-4109-A08F-114C7D6D3FC3"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:abb:base_software:*:*:*:*:*:softcontrol:*:*", "vulnerable": true, "matchCriteriaId": "D30E09D7-4C4D-459F-95DC-3B9FA341E5A4"}], "operator": "OR"}]}], "sourceIdentifier": "cybersecurity@ch.abb.com"}