Details of VAR-202006-0324

ID

VAR-202006-0324

CVE

CVE-2020-12036

TITLE

Baxter PrismaFlex and PrisMax Vulnerability in plaintext transmission of important information in

Trust: 0.8

sources: JVNDB: JVNDB-2020-007756

DESCRIPTION

Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The affected devices do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device. Baxter PrismaFlex and PrisMax Includes a vulnerability in the transmission of important information in clear text.Information may be obtained. Baxter PrismaFlex and PrisMax are both an intensive care equipment of Baxter. An information disclosure vulnerability exists in Baxter PrismaFlex (all versions) and PrisMax versions prior to 3.x

Trust: 2.16

sources: NVD: CVE-2020-12036 // JVNDB: JVNDB-2020-007756 // CNVD: CNVD-2020-52563

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-52563

AFFECTED PRODUCTS

vendor:	baxter	model:	prismaflex	scope:	-	version:	-	Trust: 1.4
vendor:	baxter	model:	prismaflex	scope:	eq	version:	*	Trust: 1.0
vendor:	baxter	model:	prismax	scope:	lt	version:	3.0	Trust: 1.0
vendor:	baxter	model:	prismax	scope:	eq	version:	3.x	Trust: 0.8
vendor:	baxter	model:	prismax	scope:	lt	version:	3.*	Trust: 0.6

sources: CNVD: CNVD-2020-52563 // JVNDB: JVNDB-2020-007756 // NVD: CVE-2020-12036

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-12036
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-007756
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-52563
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202006-1249
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-12036
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-007756
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-52563
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-12036
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-007756
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-52563 // JVNDB: JVNDB-2020-007756 // CNNVD: CNNVD-202006-1249 // NVD: CVE-2020-12036

PROBLEMTYPE DATA

problemtype:

CWE-319

Trust: 1.8

sources: JVNDB: JVNDB-2020-007756 // NVD: CVE-2020-12036

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1249

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202006-1249

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-007756

PATCH

title:	Top Page	url:	https://www.baxter.com/	Trust: 0.8
title:	Patch for Baxter PrismaFlex and PrisMax information disclosure vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/234643	Trust: 0.6
title:	Baxter PrismaFlex and PrisMax Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124063	Trust: 0.6

sources: CNVD: CNVD-2020-52563 // JVNDB: JVNDB-2020-007756 // CNNVD: CNNVD-202006-1249

EXTERNAL IDS

db:	NVD	id:	CVE-2020-12036	Trust: 3.0
db:	ICS CERT	id:	ICSMA-20-170-02	Trust: 2.0
db:	ICS CERT	id:	ICSMA-20-170-01	Trust: 1.6
db:	JVN	id:	JVNVU91499991	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-007756	Trust: 0.8
db:	CNVD	id:	CNVD-2020-52563	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-1249	Trust: 0.6

sources: CNVD: CNVD-2020-52563 // JVNDB: JVNDB-2020-007756 // CNNVD: CNNVD-202006-1249 // NVD: CVE-2020-12036

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsma-20-170-01	Trust: 1.6
url:	https://us-cert.cisa.gov/ics/advisories/icsma-20-170-02	Trust: 1.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12036	Trust: 1.4
url:	https://www.us-cert.gov/ics/advisories/icsma-20-170-02	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12036	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu91499991/	Trust: 0.8

sources: CNVD: CNVD-2020-52563 // JVNDB: JVNDB-2020-007756 // CNNVD: CNNVD-202006-1249 // NVD: CVE-2020-12036

CREDITS

Baxter

Trust: 0.6

sources: CNNVD: CNNVD-202006-1249

SOURCES

db:	CNVD	id:	CNVD-2020-52563
db:	JVNDB	id:	JVNDB-2020-007756
db:	CNNVD	id:	CNNVD-202006-1249
db:	NVD	id:	CVE-2020-12036

LAST UPDATE DATE

2024-11-23T20:39:59.519000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-52563	date:	2020-09-17T00:00:00
db:	JVNDB	id:	JVNDB-2020-007756	date:	2020-08-26T00:00:00
db:	CNNVD	id:	CNNVD-202006-1249	date:	2020-07-15T00:00:00
db:	NVD	id:	CVE-2020-12036	date:	2024-11-21T04:59:09.520

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-52563	date:	2020-09-17T00:00:00
db:	JVNDB	id:	JVNDB-2020-007756	date:	2020-08-25T00:00:00
db:	CNNVD	id:	CNNVD-202006-1249	date:	2020-06-18T00:00:00
db:	NVD	id:	CVE-2020-12036	date:	2020-06-29T14:15:11.460