Details of VAR-202012-0817

ID

VAR-202012-0817

CVE

CVE-2020-28217

TITLE

Easergy T300 Vulnerability regarding lack of encryption of critical data in

Trust: 0.8

sources: JVNDB: JVNDB-2020-014345

DESCRIPTION

A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol. Easergy T300 There is a vulnerability in the lack of encryption of critical data.Information may be obtained. Easergy T300 is a new generation of distribution network automation intelligent terminal, adhering to the "modularity, flexibility, application-oriented" design concept, can be widely used in medium voltage distribution network management, fault location, isolation and recovery (FLISR), distributed energy integration Internet, energy growth and asset management. Easergy T300 2.7 and earlier versions have security vulnerabilities

Trust: 2.16

sources: NVD: CVE-2020-28217 // JVNDB: JVNDB-2020-014345 // CNVD: CNVD-2021-19763

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-19763

AFFECTED PRODUCTS

vendor:	schneider electric	model:	easergy t300	scope:	lte	version:	2.7	Trust: 1.0
vendor:	schneider electric	model:	easergy t300	scope:	lte	version:	easergy t300 firmware 2.7 and earlier	Trust: 0.8
vendor:	schneider electric	model:	easergy t300	scope:	eq	version:	-	Trust: 0.8
vendor:	schneider	model:	electric easergy t300	scope:	lte	version:	<=2.7	Trust: 0.6

sources: CNVD: CNVD-2021-19763 // JVNDB: JVNDB-2020-014345 // NVD: CVE-2020-28217

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-28217
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-28217
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-19763
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202012-725
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-28217
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-19763
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-28217
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2020-28217
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-19763 // JVNDB: JVNDB-2020-014345 // CNNVD: CNNVD-202012-725 // NVD: CVE-2020-28217

PROBLEMTYPE DATA

problemtype:	CWE-311	Trust: 1.0
problemtype:	Lack of encryption of critical data (CWE-311) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-014345 // NVD: CVE-2020-28217

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-725

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202012-725

PATCH

title:	SEVD-2020-315-06	url:	https://www.se.com/ww/en/download/document/SEVD-2020-315-06/	Trust: 0.8
title:	Patch for Schneider Electric Easergy T300 has an unspecified vulnerability (CNVD-2021-19763)	url:	https://www.cnvd.org.cn/patchInfo/show/253996	Trust: 0.6
title:	Schneider Electric Easergy T300 Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=137260	Trust: 0.6

sources: CNVD: CNVD-2021-19763 // JVNDB: JVNDB-2020-014345 // CNNVD: CNNVD-202012-725

EXTERNAL IDS

db:	NVD	id:	CVE-2020-28217	Trust: 3.0
db:	ICS CERT	id:	ICSA-20-343-03	Trust: 3.0
db:	SCHNEIDER	id:	SEVD-2020-315-06	Trust: 1.6
db:	JVN	id:	JVNVU91936841	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-014345	Trust: 0.8
db:	CNVD	id:	CNVD-2021-19763	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4360	Trust: 0.6
db:	CNNVD	id:	CNNVD-202012-725	Trust: 0.6

sources: CNVD: CNVD-2021-19763 // JVNDB: JVNDB-2020-014345 // CNNVD: CNNVD-202012-725 // NVD: CVE-2020-28217

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-343-03	Trust: 3.6
url:	https://www.se.com/ww/en/download/document/sevd-2020-315-06/	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-28217	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu91936841/	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.4360/	Trust: 0.6

sources: CNVD: CNVD-2021-19763 // JVNDB: JVNDB-2020-014345 // CNNVD: CNNVD-202012-725 // NVD: CVE-2020-28217

SOURCES

db:	CNVD	id:	CNVD-2021-19763
db:	JVNDB	id:	JVNDB-2020-014345
db:	CNNVD	id:	CNNVD-202012-725
db:	NVD	id:	CVE-2020-28217

LAST UPDATE DATE

2024-11-23T21:58:53.480000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-19763	date:	2021-03-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-014345	date:	2021-08-13T09:04:00
db:	CNNVD	id:	CNNVD-202012-725	date:	2020-12-16T00:00:00
db:	NVD	id:	CVE-2020-28217	date:	2024-11-21T05:22:29.607

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-19763	date:	2021-03-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-014345	date:	2021-08-13T00:00:00
db:	CNNVD	id:	CNNVD-202012-725	date:	2020-12-08T00:00:00
db:	NVD	id:	CVE-2020-28217	date:	2020-12-11T01:15:11.707