CVE Vulnerabilities

CVE-2020-12495

Improper Privilege Management

Published: Nov 19, 2020 | Modified: Dec 08, 2020
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) with Firmware version prior to V2.0.0 is prone to improper privilege management. The affected device has a web-based user interface with a role-based access system. Users with different roles have different write and read privileges. The access system is based on dynamic tokens. The vulnerability is that user sessions are not closed correctly and a user with fewer rights is assigned the higher rights when he logs on.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Rsg35_firmware Endress * 2.0.0 (excluding)

Potential Mitigations

References