CVE-2020-5569
CVSS V2 Medium 4.6
CVSS V3 High 8.4
Description
An unquoted search path vulnerability exists in HDD Password tool (for Windows) version 1.20.6620 and earlier which is stored in CANVIO PREMIUM 3TB(HD-MB30TY, HD-MA30TY, HD-MB30TS, HD-MA30TS), CANVIO PREMIUM 2TB(HD-MB20TY, HD-MA20TY, HD-MB20TS, HD-MA20TS), CANVIO PREMIUM 1TB(HD-MB10TY, HD-MA10TY, HD-MB10TS, HD-MA10TS), CANVIO SLIM 1TB(HD-SB10TK, HD-SB10TS), and CANVIO SLIM 500GB(HD-SB50GK, HD-SA50GK, HD-SB50GS, HD-SA50GS), and which was downloaded before 2020 May 10. Since it registers Windows services with unquoted file paths, when a registered path contains spaces, and a malicious executable is placed on a certain path, it may be executed with the privilege of the Windows service.
Overview
- CVE ID
- CVE-2020-5569
- Assigner
- vultures@jpcert.or.jp
- Vulnerability Status
- Analyzed
- Published Version
- 2020-04-20T08:15:15
- Last Modified Date
- 2020-05-05T19:17:02
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| AND | ||||
| cpe:2.3:a:toshiba:password_tool_for_windows:*:*:*:*:*:*:*:* | 1 | OR | 1.20.6620 | |
| cpe:2.3:h:toshiba:hd-ma10ts:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-ma10ty:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-ma20ts:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-ma20ty:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-ma30ts:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-ma30ty:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-mb10ts:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-mb10ty:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-mb20ts:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-mb20ty:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-mb30ts:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-mb30ty:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-sa50gk:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-sa50gs:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-sb10tk:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-sb10ts:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-sb50gk:-:*:*:*:*:*:*:* | 0 | OR | ||
| cpe:2.3:h:toshiba:hd-sb50gs:-:*:*:*:*:*:*:* | 0 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:L/AC:L/Au:N/C:P/I:P/A:P
- Access Vector
- LOCAL
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- PARTIAL
- Base Score
- 4.6
- Severity
- MEDIUM
- Exploitability Score
- 3.9
- Impact Score
- 6.4
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- LOCAL
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 8.4
- Base Severity
- HIGH
- Exploitability Score
- 2.5
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| https://jvn.jp/en/jp/JVN13467854/index.html | Third Party Advisory |
| https://www.canvio.jp/news/20200420.htm | Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2020-5569 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5569 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 17:34:07 | Added to TrackCVE | |||
| 2022-12-04 15:14:37 | 2020-04-20T08:15Z | 2020-04-20T08:15:15 | CVE Published Date | updated |
| 2022-12-04 15:14:37 | 2020-05-05T19:17:02 | CVE Modified Date | updated | |
| 2022-12-04 15:14:37 | Analyzed | Vulnerability Status | updated |