CVE-2020-24683
Severity CVSS v4.0:
Pending analysis
Type:
CWE-669
Incorrect Resource Transfer Between Spheres
Publication date:
22/12/2020
Last modified:
07/10/2021
Description
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:abb:symphony_\+_historian:3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:abb:symphony_\+_historian:3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:abb:symphony_\+_operations:1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:abb:symphony_\+_operations:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:abb:symphony_\+_operations:2.1:sp1:*:*:*:*:*:* | ||
| cpe:2.3:a:abb:symphony_\+_operations:2.1:sp2:*:*:*:*:*:* | ||
| cpe:2.3:a:abb:symphony_\+_operations:3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:abb:symphony_\+_operations:3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:abb:symphony_\+_operations:3.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:abb:symphony_\+_operations:3.3:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page