CVE-2020-5602

CVSS V2 Medium 5 CVSS V3 High 7.5

Description

Mitsubishi Electoric FA Engineering Software (CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT2000) Ver. 1.221F and earlier, GX LogViewer Ver. 1.96A and earlier, GX Works2 Ver. 1.586L and earlier, GX Works3 Ver. 1.058L and earlier, M_CommDTM-HART Ver. 1.00A, M_CommDTM-IO-Link Ver. 1.02C and earlier, MELFA-Works Ver. 4.3 and earlier, MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier, MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier, MELSOFT iQ AppPortal Ver. 1.11M and earlier, MELSOFT Navigator Ver. 2.58L and earlier, MI Configurator Ver. 1.003D and earlier, Motion Control Setting Ver. 1.005F and earlier, MR Configurator2 Ver. 1.72A and earlier, MT Works2 Ver. 1.156N and earlier, RT ToolBox2 Ver. 3.72A and earlier, and RT ToolBox3 Ver. 1.50C and earlier) allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.

Overview

CVE ID
CVE-2020-5602

Assigner
vultures@jpcert.or.jp

Vulnerability Status
Analyzed

Published Version
2020-06-30T11:15:11

Last Modified Date
2020-07-14T19:17:43

Weakness Enumerations

CWE	URL
CWE-611	http://cwe.mitre.org/data/definitions/611.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
cpe:2.3:a:mitsubishielectric:cpu_module_logging_configuration_tool::::::::	1	OR	1.94y
cpe:2.3:a:mitsubishielectric:cw_configurator::::::::	1	OR	1.010l
cpe:2.3:a:mitsubishielectric:em_configurator::::::::	1	OR	1.010l
cpe:2.3:a:mitsubishielectric:gt_designer3::::::::	1	OR	1.221f
cpe:2.3:a:mitsubishielectric:gx_logviewer::::::::	1	OR	1.100e
cpe:2.3:a:mitsubishielectric:gx_works2::::::::	1	OR	1.590q
cpe:2.3:a:mitsubishielectric:gx_works3::::::::	1	OR	1.060n
cpe:2.3:a:mitsubishielectric:m_commdtm-hart::::::::	1	OR	1.01b
cpe:2.3:a:mitsubishielectric:m_commdtm-io-link::::::::	1	OR	1.03d
cpe:2.3:a:mitsubishielectric:melfa-works::::::::	1	OR	4.4
cpe:2.3:a:mitsubishielectric:melsec-l_flexible_high-speed_i\/o_control_module_configuration_tool::::::::	1	OR	1.005f
cpe:2.3:a:mitsubishielectric:melsoft_fielddeviceconfigurator::::::::	1	OR	1.04e
cpe:2.3:a:mitsubishielectric:melsoft_iq_appportal::::::::	1	OR	1.14q
cpe:2.3:a:mitsubishielectric:melsoft_navigator::::::::	1	OR	2.62q
cpe:2.3:a:mitsubishielectric:mi_configurator::::::::	1	OR	1.004e
cpe:2.3:a:mitsubishielectric:motion_control_setting::::::::	1	OR	1.006g
cpe:2.3:a:mitsubishielectric:mr_configurator2::::::::	1	OR	1.100e
cpe:2.3:a:mitsubishielectric:mt_works2::::::::	1	OR	1.160s
cpe:2.3:a:mitsubishielectric:rt_toolbox2::::::::	1	OR	3.73b
cpe:2.3:a:mitsubishielectric:rt_toolbox3::::::::	1	OR	1.60n

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector
NETWORK

Access Compatibility
LOW

Authentication
NONE

Confidentiality Impact
PARTIAL

Integrity Impact
NONE

Availability Impact
NONE

Base Score
5

Severity
MEDIUM

Exploitability Score
10

Impact Score
2.9

CVSS Version 3

Version
3.1

Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector
NETWORK

Attack Compatibility
LOW

Privileges Required
NONE

User Interaction
NONE

Scope
UNCHANGED

Confidentiality Impact
HIGH

Availability Impact
NONE

Base Score
7.5

Base Severity
HIGH

Exploitability Score
3.9

Impact Score
3.6

References

Reference URL	Reference Tags
https://jvn.jp/en/vu/JVNVU90307594/index.html	Third Party Advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-004_en.pdf	Mitigation Vendor Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2020-5602
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5602

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 16:40:54				Added to TrackCVE
2022-12-04 18:58:51	2020-06-30T11:15Z	2020-06-30T11:15:11	CVE Published Date	updated
2022-12-04 18:58:51		2020-07-14T19:17:43	CVE Modified Date	updated
2022-12-04 18:58:51		Analyzed	Vulnerability Status	updated