CVE-2020-8479

CVSS V2 High 7.5 CVSS V3 Critical 9.8

Description

For the Central Licensing Server component used in ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, ABB AbilityTM SCADAvantage versions 5.1 to 5.6.5. an XML External Entity Injection vulnerability exists that allows an attacker to read or call arbitrary files from the license server and/or from the network and also block the license handling.

Overview

CVE ID
CVE-2020-8479

Assigner
cybersecurity@ch.abb.com

Vulnerability Status
Modified

Published Version
2020-04-29T02:15:11

Last Modified Date
2022-10-28T02:15:16

Weakness Enumerations

CWE	URL
CWE-91	http://cwe.mitre.org/data/definitions/91.html

CPE Configuration (Product)

CPE	Vulnerable	Operator
cpe:2.3:a:abb:800xa_system:5.1:-::::::	1	OR
cpe:2.3:a:abb:800xa_system:5.1:feature_pack_4::::::	1	OR
cpe:2.3:a:abb:800xa_system:5.1:feature_pack_4_revision_d::::::	1	OR
cpe:2.3:a:abb:800xa_system:5.1:revision_a::::::	1	OR
cpe:2.3:a:abb:800xa_system:5.1:revision_b::::::	1	OR
cpe:2.3:a:abb:800xa_system:5.1:revision_c::::::	1	OR
cpe:2.3:a:abb:800xa_system:5.1:revision_d::::::	1	OR
cpe:2.3:a:abb:800xa_system:5.1:revision_e::::::	1	OR
cpe:2.3:a:abb:800xa_system:5.1:revision_e_feature_pack_4::::::	1	OR
cpe:2.3:a:abb:800xa_system:6.0:::::::*	1	OR
cpe:2.3:a:abb:800xa_system:6.0.1:::::::*	1	OR
cpe:2.3:a:abb:800xa_system:6.0.3:::::::*	1	OR
cpe:2.3:a:abb:800xa_system:6.1:::::::*	1	OR
cpe:2.3:a:abb:compact_hmi:5.1:-::::::	1	OR
cpe:2.3:a:abb:compact_hmi:5.1:feature_pack_4_revision_d::::::	1	OR
cpe:2.3:a:abb:compact_hmi:5.1:revision_b::::::	1	OR
cpe:2.3:a:abb:compact_hmi:5.1:revision_d::::::	1	OR
cpe:2.3:a:abb:compact_hmi:6.0.1-1:::::::*	1	OR
cpe:2.3:a:abb:compact_hmi:6.0.3-2:::::::*	1	OR
cpe:2.3:a:abb:control_builder_safe:1.0:::::::*	1	OR
cpe:2.3:a:abb:control_builder_safe:1.1:::::::*	1	OR
cpe:2.3:a:abb:control_builder_safe:2.0:::::::*	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector
NETWORK

Access Compatibility
LOW

Authentication
NONE

Confidentiality Impact
PARTIAL

Integrity Impact
PARTIAL

Availability Impact
PARTIAL

Base Score
7.5

Severity
HIGH

Exploitability Score
10

Impact Score
6.4

CVSS Version 3

Version
3.1

Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NETWORK

Attack Compatibility
LOW

Privileges Required
NONE

User Interaction
NONE

Scope
UNCHANGED

Confidentiality Impact
HIGH

Availability Impact
HIGH

Base Score
9.8

Base Severity
CRITICAL

Exploitability Score
3.9

Impact Score
5.9

References

Reference URL	Reference Tags
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-154-04

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2020-8479
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8479

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 17:28:38				Added to TrackCVE
2022-12-04 15:53:50	2020-04-29T02:15Z	2020-04-29T02:15:11	CVE Published Date	updated
2022-12-04 15:53:50		2022-10-28T02:15:16	CVE Modified Date	updated
2022-12-04 15:53:50		Modified	Vulnerability Status	updated