Details of VAR-202101-0485

ID

VAR-202101-0485

CVE

CVE-2020-28390

TITLE

Opcenter Execution Core Vulnerability regarding inadequate protection of credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2020-015532

DESCRIPTION

A vulnerability has been identified in Opcenter Execution Core (V8.2), Opcenter Execution Core (V8.3). The application contains an information leakage vulnerability in the handling of web client sessions. A local attacker who has access to the Web Client Session Storage could disclose the passwords of currently logged-in users. The Opcenter execution core (previously known as Camstar Enterprise Platform) is a universally available manufacturing execution system (MES) by Siemens PLM software. Camstar Enterprise Platform and Opcenter Execution Core have security vulnerabilities that can be exploited by attackers to obtain sensitive information

Trust: 2.25

sources: NVD: CVE-2020-28390 // JVNDB: JVNDB-2020-015532 // CNVD: CNVD-2021-02630 // VULMON: CVE-2020-28390

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-02630

AFFECTED PRODUCTS

vendor:	siemens	model:	opcenter execution core	scope:	eq	version:	8.3	Trust: 1.0
vendor:	siemens	model:	opcenter execution core	scope:	eq	version:	8.2	Trust: 1.0
vendor:	シーメンス	model:	opcenter execution core	scope:	eq	version:	8.2	Trust: 0.8
vendor:	シーメンス	model:	opcenter execution core	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	opcenter execution core	scope:	eq	version:	8.3	Trust: 0.8
vendor:	siemens	model:	opcenter execution core	scope:	eq	version:	v8.3	Trust: 0.6

sources: CNVD: CNVD-2021-02630 // JVNDB: JVNDB-2020-015532 // NVD: CVE-2020-28390

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-28390
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-28390
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-02630
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202101-835
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2020-28390
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2020-28390
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-02630
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:S/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-28390
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2020-28390
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-02630 // VULMON: CVE-2020-28390 // JVNDB: JVNDB-2020-015532 // CNNVD: CNNVD-202101-835 // NVD: CVE-2020-28390

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.0
problemtype:	Inadequate protection of credentials (CWE-522) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-015532 // NVD: CVE-2020-28390

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202101-835

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202101-835

PATCH

title:	SSA-604937	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-604937.pdf	Trust: 0.8
title:	Patch for Camstar Enterprise Platform and Opcenter Execution Core have unspecified vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/244033	Trust: 0.6
title:	Siemens Opcenter Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=138766	Trust: 0.6

sources: CNVD: CNVD-2021-02630 // JVNDB: JVNDB-2020-015532 // CNNVD: CNNVD-202101-835

EXTERNAL IDS

db:	NVD	id:	CVE-2020-28390	Trust: 3.1
db:	SIEMENS	id:	SSA-604937	Trust: 2.3
db:	ZDI	id:	ZDI-21-051	Trust: 1.7
db:	JVNDB	id:	JVNDB-2020-015532	Trust: 0.8
db:	CNVD	id:	CNVD-2021-02630	Trust: 0.6
db:	ICS CERT	id:	ICSA-20-196-07	Trust: 0.6
db:	CNNVD	id:	CNNVD-202101-835	Trust: 0.6
db:	VULMON	id:	CVE-2020-28390	Trust: 0.1

sources: CNVD: CNVD-2021-02630 // VULMON: CVE-2020-28390 // JVNDB: JVNDB-2020-015532 // CNNVD: CNNVD-202101-835 // NVD: CVE-2020-28390

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-604937.pdf	Trust: 2.3
url:	https://www.zerodayinitiative.com/advisories/zdi-21-051/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-28390	Trust: 1.4
url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-196-07	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/522.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-02630 // VULMON: CVE-2020-28390 // JVNDB: JVNDB-2020-015532 // CNNVD: CNNVD-202101-835 // NVD: CVE-2020-28390

SOURCES

db:	CNVD	id:	CNVD-2021-02630
db:	VULMON	id:	CVE-2020-28390
db:	JVNDB	id:	JVNDB-2020-015532
db:	CNNVD	id:	CNNVD-202101-835
db:	NVD	id:	CVE-2020-28390

LAST UPDATE DATE

2024-11-23T20:53:03.946000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-02630	date:	2021-02-04T00:00:00
db:	VULMON	id:	CVE-2020-28390	date:	2021-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2020-015532	date:	2021-10-01T08:35:00
db:	CNNVD	id:	CNNVD-202101-835	date:	2021-01-21T00:00:00
db:	NVD	id:	CVE-2020-28390	date:	2024-11-21T05:22:42.313

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-02630	date:	2021-01-13T00:00:00
db:	VULMON	id:	CVE-2020-28390	date:	2021-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2020-015532	date:	2021-10-01T00:00:00
db:	CNNVD	id:	CNNVD-202101-835	date:	2021-01-12T00:00:00
db:	NVD	id:	CVE-2020-28390	date:	2021-01-12T21:15:18.043