CVE Vulnerabilities

CVE-2020-10275

Weak Encoding for Password

Published: Jun 24, 2020 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64(USERNAME:sha256(PASSWORD)). An unauthorized attacker inside the network can use the default credentials to compute the token and interact with the REST API to exfiltrate, infiltrate or delete data.

Weakness

Obscuring a password with a trivial encoding does not protect the password.

Affected Software

Name Vendor Start Version End Version
Mir100_firmware Mobile-industrial-robots * 2.8.1.1 (including)

Potential Mitigations

References