Vulnerability Details : CVE-2020-16098
It is possible to enumerate access card credentials via an unauthenticated network connection to the server in versions of Command Centre v8.20 prior to v8.20.1166(MR3), versions of 8.10 prior to v8.10.1211(MR5), versions of 8.00 prior to v8.00.1228(MR6), all versions of 7.90 and earlier. These credentials can then be used to encode low security cards to be used by the system where insecure card technologies are supported.
Vulnerability category: BypassGain privilege
Products affected by CVE-2020-16098
- cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*
- cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*
- cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*
- cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*
- cpe:2.3:a:gallagher:command_centre:8.00.1228:-:*:*:*:*:*:*
- cpe:2.3:a:gallagher:command_centre:8.10.1211:-:*:*:*:*:*:*
- cpe:2.3:a:gallagher:command_centre:8.20.1166:-:*:*:*:*:*:*
- cpe:2.3:a:gallagher:command_centre:8.30.1236:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-16098
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-16098
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Gallagher Group Ltd. | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-16098
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: disclosures@gallagher.com (Secondary)
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-16098
-
https://security.gallagher.com/Security-Advisories/CVE-2020-16098
CVE-2020-16098Vendor Advisory
Jump to