CVE-2020-15858

EPSS 0.28%
Published 21.08.2020 21:15:11
Last modified 21.11.2024 05:06:19
Source cve@mitre.org
Teams watchlist Login
Open Login

Some devices of Thales DIS (formerly Gemalto, formerly Cinterion) allow Directory Traversal by physically proximate attackers. The directory path access check of the internal flash file system can be circumvented. This flash file system can store application-specific data and data needed for customer Java applications, TLS and OTAP (Java over-the-air-provisioning) functionality. The affected products and releases are: BGS5 up to and including SW RN 02.000 / ARN 01.001.06 EHSx and PDSx up to and including SW RN 04.003 / ARN 01.000.04 ELS61 up to and including SW RN 02.002 / ARN 01.000.04 ELS81 up to and including SW RN 05.002 / ARN 01.000.04 PLS62 up to and including SW RN 02.000 / ARN 01.000.04

Affected products Warnungen 0 Metrics 4 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Thalesgroup ≫ Bgs5 Firmware Version <= rn_02.000_\/_arn_01.001.06

Thalesgroup ≫ Bgs5 Version-

Thalesgroup ≫ Ehs5 Firmware Version <= rn_04.003_\/_arn_01.000.04

Thalesgroup ≫ Ehs5 Version-

Thalesgroup ≫ Ehs8 Firmware Version <= rn_04.003_\/_arn_01.000.04

Thalesgroup ≫ Ehs8 Version-

Thalesgroup ≫ Ehs6 Firmware Version <= rn_04.003_\/_arn_01.000.04

Thalesgroup ≫ Ehs6 Version-

Thalesgroup ≫ Pds5 Firmware Version <= rn_04.003_\/_arn_01.000.04

Thalesgroup ≫ Pds5 Version-

Thalesgroup ≫ Pds6 Firmware Version <= rn_04.003_\/_arn_01.000.04

Thalesgroup ≫ Pds6 Version-

Thalesgroup ≫ Els61 Firmware Version <= rn_02.002_\/_arn_01.000.04

Thalesgroup ≫ Els61 Version-

Thalesgroup ≫ Els81 Firmware Version <= rn_05.002_\/_arn_01.000.04

Thalesgroup ≫ Els81 Version-

Thalesgroup ≫ Pls62 Firmware Version <= rn_02.000_\/_arn_01.000.04

Thalesgroup ≫ Pls62 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.28%	0.509

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.4	0.9	5.5	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
nvd@nist.gov	3.6	3.9	4.9	AV:L/AC:L/Au:N/C:P/I:P/A:N
cve@mitre.org	6.2	0.7	5.5	CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://packetstormsecurity.com/files/171978/Telit-Cinterion-IoT-Traversal-Escalation-Bypass-Heap-Overflow.html

http://seclists.org/fulldisclosure/2023/Apr/11

https://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/resources/security-updates-cinterion-iot-modules

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-15858

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-15858

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-15858

EUVD