7

CVE-2020-27212

STMicroelectronics STM32L4 devices through 2020-10-19 have incorrect access control. The flash read-out protection (RDP) can be degraded from RDP level 2 (no access via debug interface) to level 1 (limited access via debug interface) by injecting a fault during the boot phase.

Data is provided by the National Vulnerability Database (NVD)
StStm32cubel4 Firmware Version <= 1.16.0
   StStm32l412c8 Version-
   StStm32l412cb Version-
   StStm32l412k8 Version-
   StStm32l412kb Version-
   StStm32l412r8 Version-
   StStm32l412rb Version-
   StStm32l412t8 Version-
   StStm32l412tb Version-
   StStm32l422cb Version-
   StStm32l422kb Version-
   StStm32l422rb Version-
   StStm32l422tb Version-
   StStm32l431cb Version-
   StStm32l431cc Version-
   StStm32l431kb Version-
   StStm32l431kc Version-
   StStm32l431rb Version-
   StStm32l431rc Version-
   StStm32l431vc Version-
   StStm32l432kb Version-
   StStm32l432kc Version-
   StStm32l433cb Version-
   StStm32l433cc Version-
   StStm32l433rb Version-
   StStm32l433rc Version-
   StStm32l433vc Version-
   StStm32l442kc Version-
   StStm32l443cc Version-
   StStm32l443rc Version-
   StStm32l443vc Version-
   StStm32l451cc Version-
   StStm32l451ce Version-
   StStm32l451rc Version-
   StStm32l451re Version-
   StStm32l451vc Version-
   StStm32l451ve Version-
   StStm32l452cc Version-
   StStm32l452ce Version-
   StStm32l452rc Version-
   StStm32l452re Version-
   StStm32l452vc Version-
   StStm32l452ve Version-
   StStm32l462ce Version-
   StStm32l462re Version-
   StStm32l462ve Version-
   StStm32l471qe Version-
   StStm32l471qg Version-
   StStm32l471re Version-
   StStm32l471rg Version-
   StStm32l471ve Version-
   StStm32l471vg Version-
   StStm32l471ze Version-
   StStm32l471zg Version-
   StStm32l475rc Version-
   StStm32l475re Version-
   StStm32l475rg Version-
   StStm32l475vc Version-
   StStm32l475ve Version-
   StStm32l475vg Version-
   StStm32l476je Version-
   StStm32l476jg Version-
   StStm32l476me Version-
   StStm32l476mg Version-
   StStm32l476qe Version-
   StStm32l476qg Version-
   StStm32l476rc Version-
   StStm32l476re Version-
   StStm32l476rg Version-
   StStm32l476vc Version-
   StStm32l476ve Version-
   StStm32l476vg Version-
   StStm32l476ze Version-
   StStm32l476zg Version-
   StStm32l486jg Version-
   StStm32l486qg Version-
   StStm32l486rg Version-
   StStm32l486vg Version-
   StStm32l486zg Version-
   StStm32l496ae Version-
   StStm32l496ag Version-
   StStm32l496qe Version-
   StStm32l496qg Version-
   StStm32l496re Version-
   StStm32l496rg Version-
   StStm32l496ve Version-
   StStm32l496vg Version-
   StStm32l496wg Version-
   StStm32l496ze Version-
   StStm32l496zg Version-
   StStm32l4a6ag Version-
   StStm32l4a6qg Version-
   StStm32l4a6rg Version-
   StStm32l4a6vg Version-
   StStm32l4a6zg Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.1% 0.274
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 4.4 3.4 6.4
AV:L/AC:M/Au:N/C:P/I:P/A:P
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://eprint.iacr.org/2021/640
Third Party Advisory