CVE-2020-25184

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:schneider-electric:easergy_c5_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:easergy_c5:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:schneider-electric:micom_c264_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:micom_c264:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
OR cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.1:*:*:*:*:windows:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.2:*:*:*:*:windows:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.1:*:*:*:*:windows:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:*:*:*:*:linux:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:*:*:*:*:windows:*:*
cpe:2.3:h:schneider-electric:pacis_gtw:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:schneider-electric:saitel_dp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:saitel_dp:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
OR cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:*:*:*:*:linux:*:*
cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:*:*:*:*:windows:*:*
cpe:2.3:h:schneider-electric:epas_gtw:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:schneider-electric:saitel_dr_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:saitel_dr:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:schneider-electric:scd2200_firmware:*:*:*:*:*:*:*:*
OR cpe:2.3:h:schneider-electric:cp-3:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:mc-31:-:*:*:*:*:*:*:*

Configuration 9 (hide)

OR cpe:2.3:a:rockwellautomation:aadvance_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:isagraf_free_runtime:*:*:*:*:*:isagraf6_workbench:*:*
cpe:2.3:a:rockwellautomation:isagraf_runtime:*:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:rockwellautomation:micro810_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro810:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:rockwellautomation:micro820_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro820:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:rockwellautomation:micro830_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro830:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:rockwellautomation:micro850_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro850:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:rockwellautomation:micro870_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro870:-:*:*:*:*:*:*:*

Configuration 15 (hide)

cpe:2.3:o:xylem:multismart_firmware:*:*:*:*:*:*:*:*

History

04 Apr 2022, 20:52

Type Values Removed Values Added
CPE cpe:2.3:o:schneider-electric:scd2200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:epas_gtw:-:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:micom_c264_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.1:*:*:*:*:windows:*:*
cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:*:*:*:*:windows:*:*
cpe:2.3:o:rockwellautomation:micro830_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:xylem:multismart_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:*:*:*:*:linux:*:*
cpe:2.3:h:schneider-electric:easergy_c5:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*
cpe:2.3:o:rockwellautomation:micro850_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4:*:*:*:*:linux:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.1:*:*:*:*:windows:*:*
cpe:2.3:h:schneider-electric:saitel_dp:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro820:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:micom_c264:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro810:-:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:saitel_dp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro850:-:*:*:*:*:*:*:*
cpe:2.3:h:rockwellautomation:micro870:-:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3:*:*:*:*:windows:*:*
cpe:2.3:a:rockwellautomation:aadvance_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:isagraf_free_runtime:*:*:*:*:*:isagraf6_workbench:*:*
cpe:2.3:h:rockwellautomation:micro830:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:mc-31:-:*:*:*:*:*:*:*
cpe:2.3:o:rockwellautomation:micro870_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:cp-3:-:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:saitel_dr_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:schneider-electric:pacis_gtw:-:*:*:*:*:*:*:*
cpe:2.3:o:rockwellautomation:micro820_firmware:-:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:isagraf_runtime:*:*:*:*:*:*:*:*
cpe:2.3:o:rockwellautomation:micro810_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.2:*:*:*:*:windows:*:*
cpe:2.3:h:schneider-electric:saitel_dr:-:*:*:*:*:*:*:*
cpe:2.3:o:schneider-electric:easergy_c5_firmware:*:*:*:*:*:*:*:*
First Time Schneider-electric saitel Dp
Rockwellautomation micro810
Schneider-electric easergy T300
Schneider-electric saitel Dp Firmware
Schneider-electric saitel Dr Firmware
Schneider-electric cp-3
Schneider-electric pacis Gtw
Xylem multismart Firmware
Rockwellautomation micro830
Schneider-electric easergy T300 Firmware
Rockwellautomation micro870 Firmware
Schneider-electric easergy C5
Schneider-electric scd2200 Firmware
Rockwellautomation isagraf Runtime
Schneider-electric easergy C5 Firmware
Rockwellautomation
Rockwellautomation micro820 Firmware
Rockwellautomation micro810 Firmware
Xylem
Rockwellautomation aadvance Controller
Rockwellautomation micro870
Schneider-electric micom C264 Firmware
Rockwellautomation micro850
Schneider-electric saitel Dr
Schneider-electric epas Gtw
Schneider-electric epas Gtw Firmware
Schneider-electric pacis Gtw Firmware
Rockwellautomation micro830 Firmware
Rockwellautomation micro850 Firmware
Schneider-electric micom C264
Rockwellautomation isagraf Free Runtime
Schneider-electric mc-31
Schneider-electric
Rockwellautomation micro820
CWE CWE-522
CVSS v2 : unknown
v3 : unknown
v2 : 2.1
v3 : 5.5
References (CONFIRM) https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699 - (CONFIRM) https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699 - Permissions Required
References (CONFIRM) https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01 - (CONFIRM) https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01 - Third Party Advisory, US Government Resource
References (CONFIRM) https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf - (CONFIRM) https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf - Vendor Advisory
References (CONFIRM) https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04 - (CONFIRM) https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04 - Vendor Advisory

18 Mar 2022, 19:12

Type Values Removed Values Added
New CVE

Information

Published : 2022-03-18 18:15

Updated : 2023-12-10 14:22


NVD link : CVE-2020-25184

Mitre link : CVE-2020-25184

CVE.ORG link : CVE-2020-25184


JSON object : View

Products Affected

rockwellautomation

  • micro820_firmware
  • isagraf_runtime
  • micro810
  • aadvance_controller
  • micro810_firmware
  • micro830_firmware
  • micro830
  • micro850_firmware
  • micro870_firmware
  • micro850
  • micro820
  • micro870
  • isagraf_free_runtime

schneider-electric

  • epas_gtw_firmware
  • mc-31
  • easergy_c5_firmware
  • cp-3
  • micom_c264_firmware
  • easergy_c5
  • pacis_gtw_firmware
  • saitel_dp_firmware
  • saitel_dp
  • saitel_dr_firmware
  • pacis_gtw
  • scd2200_firmware
  • epas_gtw
  • easergy_t300
  • easergy_t300_firmware
  • micom_c264
  • saitel_dr

xylem

  • multismart_firmware
CWE
CWE-522

Insufficiently Protected Credentials

CWE-256

Unprotected Storage of Credentials