CVE-2020-5569
Severity CVSS v4.0:
Pending analysis
Type:
CWE-428
Unquoted Search Path or Element
Publication date:
20/04/2020
Last modified:
05/05/2020
Description
An unquoted search path vulnerability exists in HDD Password tool (for Windows) version 1.20.6620 and earlier which is stored in CANVIO PREMIUM 3TB(HD-MB30TY, HD-MA30TY, HD-MB30TS, HD-MA30TS), CANVIO PREMIUM 2TB(HD-MB20TY, HD-MA20TY, HD-MB20TS, HD-MA20TS), CANVIO PREMIUM 1TB(HD-MB10TY, HD-MA10TY, HD-MB10TS, HD-MA10TS), CANVIO SLIM 1TB(HD-SB10TK, HD-SB10TS), and CANVIO SLIM 500GB(HD-SB50GK, HD-SA50GK, HD-SB50GS, HD-SA50GS), and which was downloaded before 2020 May 10. Since it registers Windows services with unquoted file paths, when a registered path contains spaces, and a malicious executable is placed on a certain path, it may be executed with the privilege of the Windows service.
Impact
Base Score 3.x
8.40
Severity 3.x
HIGH
Base Score 2.0
4.60
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:toshiba:password_tool_for_windows:*:*:*:*:*:*:*:* | 1.20.6620 (including) | |
| cpe:2.3:h:toshiba:hd-ma10ts:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-ma10ty:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-ma20ts:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-ma20ty:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-ma30ts:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-ma30ty:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-mb10ts:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-mb10ty:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-mb20ts:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-mb20ty:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-mb30ts:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-mb30ty:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-sa50gk:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:toshiba:hd-sa50gs:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page