Details of VAR-202012-0851

ID

VAR-202012-0851

CVE

CVE-2020-28946

TITLE

Plum IK-401 Inadequate protection of credentials on devices Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-014281

DESCRIPTION

An improper webserver configuration on Plum IK-401 devices with firmware before 1.02 allows an attacker (with network access to the device) to obtain the configuration file, including hashed credential data. Successful exploitation could allow access to hashed credential data with a single unauthenticated GET request. Plum IK-401 The device contains a vulnerability related to insufficient protection of credentials.Information may be obtained. Plum Ik-401 is a 4G modem/router used in industrial environments from Plum in Germany. Plum IK-401 version prior to 1.02 has a security vulnerability

Trust: 2.16

sources: NVD: CVE-2020-28946 // JVNDB: JVNDB-2020-014281 // CNVD: CNVD-2021-01058

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-01058

AFFECTED PRODUCTS

vendor:	plummac	model:	ik-401	scope:	lt	version:	1.02	Trust: 1.0
vendor:	plum	model:	ik-401	scope:	eq	version:	plum ik-401 firmware 1.02	Trust: 0.8
vendor:	plum	model:	ik-401	scope:	eq	version:	-	Trust: 0.8
vendor:	plum	model:	ik-401	scope:	lt	version:	1.02	Trust: 0.6

sources: CNVD: CNVD-2021-01058 // JVNDB: JVNDB-2020-014281 // NVD: CVE-2020-28946

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-28946
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-28946
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-01058
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202012-648
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-28946
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-01058
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-28946
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2020-28946
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-01058 // JVNDB: JVNDB-2020-014281 // CNNVD: CNNVD-202012-648 // NVD: CVE-2020-28946

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	Inadequate protection of credentials (CWE-522) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-014281 // NVD: CVE-2020-28946

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-648

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202012-648

PATCH

title:	IK-401	url:	https://plummac.com/project/ik-401/	Trust: 0.8
title:	Patch for Plum Ik-401 security issue vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/243364	Trust: 0.6
title:	Plum Ik-401 Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=136789	Trust: 0.6

sources: CNVD: CNVD-2021-01058 // JVNDB: JVNDB-2020-014281 // CNNVD: CNNVD-202012-648

EXTERNAL IDS

db:	NVD	id:	CVE-2020-28946	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-014281	Trust: 0.8
db:	CNVD	id:	CNVD-2021-01058	Trust: 0.6
db:	CNNVD	id:	CNNVD-202012-648	Trust: 0.6

sources: CNVD: CNVD-2021-01058 // JVNDB: JVNDB-2020-014281 // CNNVD: CNNVD-202012-648 // NVD: CVE-2020-28946

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-28946	Trust: 2.0
url:	https://plummac.com/project/ik-401/	Trust: 1.6
url:	https://www.cert.pl/news/single/coraz-wiecej-urzadzen-przemyslowych-podlaczonych-do-internetu/	Trust: 1.6
url:	https://www.cert.pl/posts/2020/12/coraz-wiecej-urzadzen-przemyslowych-podlaczonych-do-internetu/	Trust: 0.8

sources: CNVD: CNVD-2021-01058 // JVNDB: JVNDB-2020-014281 // CNNVD: CNNVD-202012-648 // NVD: CVE-2020-28946

SOURCES

db:	CNVD	id:	CNVD-2021-01058
db:	JVNDB	id:	JVNDB-2020-014281
db:	CNNVD	id:	CNNVD-202012-648
db:	NVD	id:	CVE-2020-28946

LAST UPDATE DATE

2024-11-23T22:25:14.340000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-01058	date:	2021-01-07T00:00:00
db:	JVNDB	id:	JVNDB-2020-014281	date:	2021-08-13T08:43:00
db:	CNNVD	id:	CNNVD-202012-648	date:	2020-12-16T00:00:00
db:	NVD	id:	CVE-2020-28946	date:	2024-11-21T05:23:21.203

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-01058	date:	2021-01-07T00:00:00
db:	JVNDB	id:	JVNDB-2020-014281	date:	2021-08-13T00:00:00
db:	CNNVD	id:	CNNVD-202012-648	date:	2020-12-08T00:00:00
db:	NVD	id:	CVE-2020-28946	date:	2020-12-08T20:15:15.713