Details of VAR-202012-0715

ID

VAR-202012-0715

CVE

CVE-2020-27687

TITLE

Thingsboard injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-05090 // CNNVD: CNNVD-202012-1410

DESCRIPTION

ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen. ThingsBoard There are injection vulnerabilities and input verification vulnerabilities.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Thingsboard is a Java-based platform of Thingsboard team for IOT equipment monitoring, management, and data collection

Trust: 2.7

sources: NVD: CVE-2020-27687 // JVNDB: JVNDB-2020-014785 // CNVD: CNVD-2021-05090 // CNNVD: CNNVD-202012-1410

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-05090

AFFECTED PRODUCTS

vendor:	thingsboard	model:	thingsboard	scope:	lt	version:	3.2	Trust: 1.0
vendor:	thingsboard	model:	thingsboard	scope:	eq	version:	3.2	Trust: 0.8
vendor:	thingsboard	model:	thingsboard	scope:	eq	version:	-	Trust: 0.8
vendor:	thingsboard	model:	thingsboard	scope:	lt	version:	v3.2	Trust: 0.6

sources: CNVD: CNVD-2021-05090 // JVNDB: JVNDB-2020-014785 // NVD: CVE-2020-27687

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-27687
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-27687
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-05090
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202012-1410
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-27687
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-05090
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-27687
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-27687
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-05090 // JVNDB: JVNDB-2020-014785 // CNNVD: CNNVD-202012-1410 // NVD: CVE-2020-27687

PROBLEMTYPE DATA

problemtype:	CWE-74	Trust: 1.0
problemtype:	CWE-20	Trust: 1.0
problemtype:	Incorrect input confirmation (CWE-20) [NVD Evaluation ]	Trust: 0.8
problemtype:	injection (CWE-74) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-014785 // NVD: CVE-2020-27687

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-1410

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202012-1410

PATCH

title:	thingsboard	url:	https://github.com/thingsboard/thingsboard/commits/master	Trust: 0.8
title:	Patch for Thingsboard injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/245107	Trust: 0.6
title:	Thingsboard Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=137871	Trust: 0.6

sources: CNVD: CNVD-2021-05090 // JVNDB: JVNDB-2020-014785 // CNNVD: CNNVD-202012-1410

EXTERNAL IDS

db:	NVD	id:	CVE-2020-27687	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-014785	Trust: 0.8
db:	CNVD	id:	CNVD-2021-05090	Trust: 0.6
db:	CNNVD	id:	CNNVD-202012-1410	Trust: 0.6

sources: CNVD: CNVD-2021-05090 // JVNDB: JVNDB-2020-014785 // CNNVD: CNNVD-202012-1410 // NVD: CVE-2020-27687

REFERENCES

url:	https://gist.github.com/vin01/26a8bb13233acd9425e7575a7ad4c936	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27687	Trust: 2.0
url:	https://github.com/thingsboard/thingsboard/commits/master	Trust: 1.6

sources: CNVD: CNVD-2021-05090 // JVNDB: JVNDB-2020-014785 // CNNVD: CNNVD-202012-1410 // NVD: CVE-2020-27687

SOURCES

db:	CNVD	id:	CNVD-2021-05090
db:	JVNDB	id:	JVNDB-2020-014785
db:	CNNVD	id:	CNNVD-202012-1410
db:	NVD	id:	CVE-2020-27687

LAST UPDATE DATE

2024-11-23T22:58:05.974000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-05090	date:	2021-01-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-014785	date:	2021-08-31T05:12:00
db:	CNNVD	id:	CNNVD-202012-1410	date:	2020-12-24T00:00:00
db:	NVD	id:	CVE-2020-27687	date:	2024-11-21T05:21:39.017

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-05090	date:	2021-01-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-014785	date:	2021-08-31T00:00:00
db:	CNNVD	id:	CNNVD-202012-1410	date:	2020-12-18T00:00:00
db:	NVD	id:	CVE-2020-27687	date:	2020-12-18T19:15:14.767