CVE-2020-14515

CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:wibu:codemeter:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-09-16 20:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-14515

Mitre link : CVE-2020-14515

CVE.ORG link : CVE-2020-14515

JSON object : View

Products Affected

wibu

codemeter

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2020-14515", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-09-16T20:15:13.567", "references": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected."}, {"lang": "es", "value": "CodeMeter (todas las versiones anteriores a 6.90 cuando se utilizan archivos de actualizaci\u00f3n con CmActLicense Firm Code) presenta un problema en el mecanismo de comprobaci\u00f3n de firmas de archivos de licencia, que permite a atacantes crear archivos de licencia arbitrarios, incluyendo la falsificaci\u00f3n de un archivo de licencia v\u00e1lido como si fuera un archivo de licencia v\u00e1lido de un proveedor existente. Solo est\u00e1n afectados los archivos de actualizaci\u00f3n de CmActLicense con CmActLicense Firm Code"}], "lastModified": "2020-09-22T17:56:46.080", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wibu:codemeter:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04ECF3CE-FA64-4B81-B769-84844ED87CF7", "versionEndExcluding": "6.90"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}