cvelistv5 - cve-2020-7535

CVE-2020-7535 (GCVE-0-2020-7535)

Vulnerability from cvelistv5

Published

2020-12-11 00:51

Modified

2024-08-04 09:33

Severity ?

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type)

Summary

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.

References

URL

Tags

https://www.se.com/ww/en/download/document/SEVD-2020-343-05/

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions)	Version: Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:33:19.664Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-05/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions)",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions)"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027 Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027 Vulnerability Type)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-11T00:51:37.000Z",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-05/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@schneider-electric.com",
          "ID": "CVE-2020-7535",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027 Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027 Vulnerability Type)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.se.com/ww/en/download/document/SEVD-2020-343-05/",
              "refsource": "CONFIRM",
              "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-05/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2020-7535",
    "datePublished": "2020-12-11T00:51:37.000Z",
    "dateReserved": "2020-01-21T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:33:19.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CERTFR-2022-AVI-815

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
N/A	N/A	Modicon MC80 sans le correctif de sécurité BMKC8020301
N/A	N/A	CANopen X80 Communication Module (BMECXM0100) toutes versions
Schneider Electric	N/A	Modicon MC80 (BMKC80) versions antérieures à 1.8
Schneider Electric	N/A	Modicon MC80 Controller (BMKC8*) versions antérieures à 1.8
Schneider Electric	Modicon M340	Modicon M340 X80 Ethernet Communication Modules BMXNOE0110 (H) toutes versions
Schneider Electric	Modicon M340	Modicon M340 X80 Ethernet Communication Modules BMXNOE0100 (H) toutes versions
N/A	N/A	EcoStruxure™ Control Expert version 15.1 sans le dernier correctif de sécurité
Schneider Electric	N/A	Modicon RTU BMXNOR0200H versions antérieures à 1.7 IR24
Schneider Electric	Modicon M340	Modicon M340 X80 Ethernet Communication Module BMXNOR0200H RTU versions antérieures à 1.7 IR24
Schneider Electric	Modicon M340	Modicon M340 Ethernet TCP/IP Network Module BMXNOC0401 versions antérieures à 2.11
Schneider Electric	N/A	Profibus Remote Master (TCSEGPA23F14F) toutes versions
Schneider Electric	N/A	Lexium ILE ILA ILS Communication Drive versions antérieures à 01.110
Schneider Electric	Modicon M340	Modicon M340 X80 Ethernet Communication module BMXNOC0401 versions antérieures à version 2.11

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2022-256-01 du 13 septembre 2022	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2021-313-05 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SEVD-2021-257-02 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SEVD-2018-081-01 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SEVD-2020-343-06 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SEVD-2020-343-07 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SEVD-2021-217-01 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SEVD-2019-134-11 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SEVD-2022-221-02 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SESB-2019-214-01 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SEVD-2020-315-01 du 13 septembre 2022	-	other
Bulletin de sécurité Schneider SEVD-2020-343-05 du 13 septembre 2022	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Modicon MC80 sans le correctif de s\u00e9curit\u00e9 BMKC8020301",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "CANopen X80 Communication Module (BMECXM0100) toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "Modicon MC80 (BMKC80) versions ant\u00e9rieures \u00e0 1.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Modicon MC80 Controller (BMKC8*) versions ant\u00e9rieures \u00e0 1.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Modicon M340 X80 Ethernet Communication Modules BMXNOE0110 (H) toutes versions",
      "product": {
        "name": "Modicon M340",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Modicon M340 X80 Ethernet Communication Modules BMXNOE0100 (H) toutes versions",
      "product": {
        "name": "Modicon M340",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "EcoStruxure\u2122 Control Expert version 15.1 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "Modicon RTU BMXNOR0200H versions ant\u00e9rieures \u00e0 1.7 IR24",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Modicon M340 X80 Ethernet Communication Module BMXNOR0200H RTU versions ant\u00e9rieures \u00e0 1.7 IR24",
      "product": {
        "name": "Modicon M340",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Modicon M340 Ethernet TCP/IP Network Module BMXNOC0401 versions ant\u00e9rieures \u00e0 2.11",
      "product": {
        "name": "Modicon M340",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Profibus Remote Master (TCSEGPA23F14F) toutes versions",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Lexium ILE ILA ILS Communication Drive versions ant\u00e9rieures \u00e0 01.110",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Modicon M340 X80 Ethernet Communication module BMXNOC0401 versions ant\u00e9rieures \u00e0 version 2.11",
      "product": {
        "name": "Modicon M340",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-7564",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7564"
    },
    {
      "name": "CVE-2020-7563",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7563"
    },
    {
      "name": "CVE-2020-7535",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7535"
    },
    {
      "name": "CVE-2020-35198",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-35198"
    },
    {
      "name": "CVE-2020-7549",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7549"
    },
    {
      "name": "CVE-2021-31401",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31401"
    },
    {
      "name": "CVE-2022-37301",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-37301"
    },
    {
      "name": "CVE-2018-7241",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-7241"
    },
    {
      "name": "CVE-2022-0222",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-0222"
    },
    {
      "name": "CVE-2018-7242",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-7242"
    },
    {
      "name": "CVE-2021-31400",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31400"
    },
    {
      "name": "CVE-2021-22788",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22788"
    },
    {
      "name": "CVE-2020-35685",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-35685"
    },
    {
      "name": "CVE-2020-7562",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7562"
    },
    {
      "name": "CVE-2020-35683",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-35683"
    },
    {
      "name": "CVE-2020-35684",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-35684"
    },
    {
      "name": "CVE-2020-7536",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7536"
    },
    {
      "name": "CVE-2018-7857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-7857"
    },
    {
      "name": "CVE-2019-6807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-6807"
    },
    {
      "name": "CVE-2018-7240",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-7240"
    },
    {
      "name": "CVE-2011-4859",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-4859"
    },
    {
      "name": "CVE-2020-28895",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28895"
    },
    {
      "name": "CVE-2021-22787",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22787"
    },
    {
      "name": "CVE-2021-22785",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22785"
    }
  ],
  "initial_release_date": "2022-09-13T00:00:00",
  "last_revision_date": "2022-09-13T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-313-05 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-313-05_Badalloc_Vulnerabilities_Security_Notification_V11.0.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-257-02 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-257-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-257-02_Web_Server_Modicon_M340_Quantum_and_Premium_and_Communication_Modules_V2.0.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2018-081-01 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2018-081-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2018-081-01_Embedded_FTP_Servers_for_Modicon_PAC_Controllers_Security_Notification_V4.0.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-06 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-343-06\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2020-343-06_Web_Server_Modicon_M340_Premium_Quantum_Communication_Modules_Security_Notification_V2.0.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-07 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-343-07\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2020-343-07_SNMP_Service_Modicon_M340_CPU_Security_Notification_V2.1.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-217-01 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-217-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-217-01_NicheStack_Security_Notification_V3.0.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2019-134-11 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2019-134-11\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2019-134-11_Modicon_Controllers_Security_Notification_V7.0.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-221-02 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-221-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-221-02_Modicon_Controllers_Security_Notification_V2.0.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SESB-2019-214-01 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2019-214-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SESB-2019-214-01_Wind_River_VxWorks_Security_Bulletin_V2.14.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-315-01 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-315-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2020-315-01_Modicon_Web_Server_Security_Notification_V3.0.pdf"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-05 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-343-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2020-343-05-Web_Server_Modicon_M340_Premium_Quantum_Communication_Modules_Security_Notification_V2.1.pdf"
    }
  ],
  "reference": "CERTFR-2022-AVI-815",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-09-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire"
    },
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire, un d\u00e9ni de service et une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-256-01 du 13 septembre 2022",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-256-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-256-01-EcoStruxure_Machine_SCADA_ExpertPro-face_BLUE_Open_Studio_Security_Notification.pdf"
    }
  ]
}

CERTFR-2020-AVI-801

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

EcoStruxure™ Control Expert
Unity Pro (former name of EcoStruxure™ Control Expert)
EcoStruxure Geo SCADA Expert 2019 versions antérieures à 81.7613.1
EcoStruxure Geo SCADA Expert 2020 versions antérieures à 83.7613.1
Modicon M340 CPU BMXP34* versions antérieures à V3.3
Modicon M340 Ethernet Communication modules BMXNOC0401 versions antérieures à V2.10 (*)
Modicon M340 Ethernet Communication modules BMXNOE0100 versions antérieures à V3.4
Modicon M340 Ethernet Communication modules BMXNOE0110 versions antérieures à V6.6
Modicon Premium processors with integrated Ethernet COPRO TSXP574634, TSXP575634, TSXP576634
Modicon Quantum CPUs 140CPU65xxxxx versions antérieures à V6.1 (*)
Modicon Quantum communication modules 140NOE771x1 versions antérieures à V7.3 (*)
Modicon Quantum communication modules 140NOC78x00 versions antérieures à V1.74 (*)
Modicon Quantum communication modules 140NOC77101 versions antérieures à V1.08
Modicon Premium communication modules TSXETY4103 versions antérieures à V6.2 (*)
Modicon Premium communication modules TSXETY5103 versions antérieures à V6.4 (*)
Modicon Premium CPUs TSXP574634, TSXP575634, TSXP576634 versions antérieures à V6.1 (*)
BMXNOE0100
BMXNOE0110
BMXNOR0200H
BMXNOR200H
Modicon M580 CPUs BMEx58xxxxx microgiciel versions antérieures à 3.20
Modicon M258 versions antérieures à 5.0.4.11
SoMachine/SoMachine Motion software

(*) ces versions ne corrigent pas toutes les vulnérabilités

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2020-343-02 du 06 décembre 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-343-06 du 06 décembre 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-343-01 du 06 décembre 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-343-07 du 06 décembre 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-343-04 du 06 décembre 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-343-05 du 06 décembre 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-343-09 du 06 décembre 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-343-08 du 06 décembre 2020	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2020-343-03 du 06 décembre 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eEcoStruxure\u2122 Control Expert\u003c/li\u003e \u003cli\u003eUnity Pro (former name of EcoStruxure\u2122 Control Expert)\u003c/li\u003e \u003cli\u003eEcoStruxure Geo SCADA Expert 2019 versions ant\u00e9rieures \u00e0 81.7613.1\u003c/li\u003e \u003cli\u003eEcoStruxure Geo SCADA Expert 2020 versions ant\u00e9rieures \u00e0 83.7613.1\u003c/li\u003e \u003cli\u003eModicon M340 CPU BMXP34* versions ant\u00e9rieures \u00e0 V3.3\u003c/li\u003e \u003cli\u003eModicon M340 Ethernet Communication modules BMXNOC0401 versions ant\u00e9rieures \u00e0 V2.10 (*)\u003c/li\u003e \u003cli\u003eModicon M340 Ethernet Communication modules BMXNOE0100 versions ant\u00e9rieures \u00e0 V3.4\u003c/li\u003e \u003cli\u003eModicon M340 Ethernet Communication modules BMXNOE0110 versions ant\u00e9rieures \u00e0 V6.6\u003c/li\u003e \u003cli\u003eModicon Premium processors with integrated Ethernet COPRO TSXP574634, TSXP575634, TSXP576634\u003c/li\u003e \u003cli\u003eModicon Quantum CPUs 140CPU65xxxxx versions ant\u00e9rieures \u00e0 V6.1 (*)\u003c/li\u003e \u003cli\u003eModicon Quantum communication modules 140NOE771x1 versions ant\u00e9rieures \u00e0 V7.3 (*)\u003c/li\u003e \u003cli\u003eModicon Quantum communication modules 140NOC78x00 versions ant\u00e9rieures \u00e0 V1.74 (*)\u003c/li\u003e \u003cli\u003eModicon Quantum communication modules 140NOC77101 versions ant\u00e9rieures \u00e0 V1.08\u003c/li\u003e \u003cli\u003eModicon Premium communication modules TSXETY4103 versions ant\u00e9rieures \u00e0 V6.2 (*)\u003c/li\u003e \u003cli\u003eModicon Premium communication modules TSXETY5103 versions ant\u00e9rieures \u00e0 V6.4 (*)\u003c/li\u003e \u003cli\u003eModicon Premium CPUs TSXP574634, TSXP575634, TSXP576634 versions ant\u00e9rieures \u00e0 V6.1 (*)\u003c/li\u003e \u003cli\u003eBMXNOE0100\u003c/li\u003e \u003cli\u003eBMXNOE0110\u003c/li\u003e \u003cli\u003eBMXNOR0200H\u003c/li\u003e \u003cli\u003eBMXNOR200H\u003c/li\u003e \u003cli\u003eModicon M580 CPUs BMEx58xxxxx microgiciel versions ant\u00e9rieures \u00e0 3.20\u003c/li\u003e \u003cli\u003eModicon M258 versions ant\u00e9rieures \u00e0 5.0.4.11\u003c/li\u003e \u003cli\u003eSoMachine/SoMachine Motion software\u003c/li\u003e \u003c/ul\u003e \u003cp\u003e(*) ces versions ne corrigent pas toutes les vuln\u00e9rabilit\u00e9s\u003c/p\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-7535",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7535"
    },
    {
      "name": "CVE-2020-7542",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7542"
    },
    {
      "name": "CVE-2020-7549",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7549"
    },
    {
      "name": "CVE-2020-7537",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7537"
    },
    {
      "name": "CVE-2020-7560",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7560"
    },
    {
      "name": "CVE-2020-28219",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28219"
    },
    {
      "name": "CVE-2020-7536",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7536"
    },
    {
      "name": "CVE-2020-7543",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7543"
    },
    {
      "name": "CVE-2020-28220",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28220"
    },
    {
      "name": "CVE-2020-7540",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7540"
    }
  ],
  "initial_release_date": "2020-12-08T00:00:00",
  "last_revision_date": "2020-12-08T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-AVI-801",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-12-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-02 du 06 d\u00e9cembre 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-02/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-06 du 06 d\u00e9cembre 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-06/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-01 du 06 d\u00e9cembre 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-01/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-07 du 06 d\u00e9cembre 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-07/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-04 du 06 d\u00e9cembre 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-04/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-05 du 06 d\u00e9cembre 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-05/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-09 du 06 d\u00e9cembre 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-09/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-08 du 06 d\u00e9cembre 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-08/"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2020-343-03 du 06 d\u00e9cembre 2020",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-03/"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2020-7535 (GCVE-0-2020-7535)

Vulnerability from cvelistv5

CERTFR-2022-AVI-815

Vulnerability from certfr_avis

Solution

CERTFR-2020-AVI-801

Vulnerability from certfr_avis

Solution

Tags

Sightings

Nomenclature