Vulnerability Details : CVE-2020-6970
A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA Server 2.83 (if Modbus or ROC Interfaces have been installed and are in use) and all versions of OpenEnterprise 3.1 through 3.3.3, where a specially crafted script could execute code on the OpenEnterprise Server.
Vulnerability category: OverflowMemory CorruptionExecute code
Products affected by CVE-2020-6970
- Emerson » Openenterprise Scada ServerVersions from including (>=) 3.1 and up to, including, (<=) 3.3.3cpe:2.3:a:emerson:openenterprise_scada_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:emerson:openenterprise_scada_server:2.8.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-6970
0.45%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-6970
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-6970
-
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Assigned by: ics-cert@hq.dhs.gov (Secondary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-6970
-
https://www.us-cert.gov/ics/advisories/icsa-20-049-02
Emerson OpenEnterprise | CISAThird Party Advisory;US Government Resource
Jump to