CVE-2020-12025 - Vulnerability Details - OpenCVE

Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rockwellautomation	Studio 5000 Logix Designer

Configuration 1 [-]

OR	cpe:2.3:a:rockwellautomation:studio_5000_logix_designer:32.00:::::::*
	cpe:2.3:a:rockwellautomation:studio_5000_logix_designer:32.01:::::::*
	cpe:2.3:a:rockwellautomation:studio_5000_logix_designer:32.02:::::::*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-20-191-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2020-07-14T12:44:30

Updated: 2024-08-04T11:48:57.991Z

Reserved: 2020-04-21T00:00:00

Link: CVE-2020-12025

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-07-14T13:15:11.343

Modified: 2024-11-21T04:59:08.237

Link: CVE-2020-12025

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02", "vendor": "n/a", "versions": [{"status": "affected", "version": "Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02"}]}], "datePublic": "2020-07-09T00:00:00", "descriptions": [{"lang": "en", "value": "Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-14T12:44:30", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-191-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-12025", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02", "version": {"version_data": [{"version_value": "Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-191-02", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-191-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:48:57.991Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-191-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-12025", "datePublished": "2020-07-14T12:44:30", "dateReserved": "2020-04-21T00:00:00", "dateUpdated": "2024-08-04T11:48:57.991Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:studio_5000_logix_designer:32.00:*:*:*:*:*:*:*", "matchCriteriaId": "4083E3F1-AD2E-4A0B-9B19-67D471C25FC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rockwellautomation:studio_5000_logix_designer:32.01:*:*:*:*:*:*:*", "matchCriteriaId": "53B85CCF-1DD1-4073-9374-F32463416C70", "vulnerable": true}, {"criteria": "cpe:2.3:a:rockwellautomation:studio_5000_logix_designer:32.02:*:*:*:*:*:*:*", "matchCriteriaId": "16E1A28F-F6F7-4B6B-B0B6-7A3085CB31E2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program."}, {"lang": "es", "value": "Rockwell Automation Logix Designer Studio 5000 Versiones 32.00, 32.01 y 32.02, es susceptible a una vulnerabilidad de tipo xml external entity (XXE), que puede permitir a un atacante visualizar nombres de host u otros recursos del programa"}], "id": "CVE-2020-12025", "lastModified": "2024-11-21T04:59:08.237", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-14T13:15:11.343", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-191-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-191-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}