CVE-2020-14479 (GCVE-0-2020-14479)
Vulnerability from cvelistv5
Published
2022-04-01 22:17
Modified
2025-04-16 16:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Inductive Automation | Ignition 7 Gateway |
Version: All < 7.9.14 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:57:58.083822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:32:19.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ignition 7 Gateway",
"vendor": "Inductive Automation",
"versions": [
{
"lessThan": "7.9.14",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"product": "Ignition 8 Gateway",
"vendor": "Inductive Automation",
"versions": [
{
"lessThan": "8.0.10",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Pedro Ribeiro, Radek Domanski, Chris Anastasio (muffin), and Steven Seeley (mr_me) working with Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."
}
],
"datePublic": "2020-07-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-01T22:17:52.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01"
}
],
"source": {
"advisory": "ICSA-20-147-01",
"discovery": "EXTERNAL"
},
"title": "ICSA-20-147-01 Inductive Automation Ignition (Update B)",
"workarounds": [
{
"lang": "en",
"value": "Please note CVE-2020-14479 does not have a fix in place. Induction Automation plans to correct this vulnerability in future product versions.\nIt is recommended to restrict interaction with the service to trusted machines. Only clients and servers with a legitimate procedural relationship should be permitted to communicate with the service. This can be done in various ways, most notably with firewall rules/allow listing.\nFor more information regarding software and patches, please refer to the specified version in Inductive Automation\u2019s release notes."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-07-14T17:00:00.000Z",
"ID": "CVE-2020-14479",
"STATE": "PUBLIC",
"TITLE": "ICSA-20-147-01 Inductive Automation Ignition (Update B)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ignition 7 Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All",
"version_value": "7.9.14"
}
]
}
},
{
"product_name": "Ignition 8 Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All",
"version_value": "8.0.10"
}
]
}
}
]
},
"vendor_name": "Inductive Automation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Pedro Ribeiro, Radek Domanski, Chris Anastasio (muffin), and Steven Seeley (mr_me) working with Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-306 Missing Authentication for Critical Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01"
}
]
},
"source": {
"advisory": "ICSA-20-147-01",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Please note CVE-2020-14479 does not have a fix in place. Induction Automation plans to correct this vulnerability in future product versions.\nIt is recommended to restrict interaction with the service to trusted machines. Only clients and servers with a legitimate procedural relationship should be permitted to communicate with the service. This can be done in various ways, most notably with firewall rules/allow listing.\nFor more information regarding software and patches, please refer to the specified version in Inductive Automation\u2019s release notes."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-14479",
"datePublished": "2022-04-01T22:17:52.198Z",
"dateReserved": "2020-06-19T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:32:19.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-14479\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2022-04-01T23:15:08.597\",\"lastModified\":\"2024-11-21T05:03:21.647\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server\"},{\"lang\":\"es\",\"value\":\"Puede obtenerse informaci\u00f3n confidencial mediante el manejo de datos serializados. El problema es debido a una falta de autenticaci\u00f3n apropiada requerida para consultar el servidor\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.9.14\",\"matchCriteriaId\":\"72C986ED-D7AB-4729-B95F-3E5ADC89CE26\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.1\",\"versionEndIncluding\":\"8.0.10\",\"matchCriteriaId\":\"A80BC717-8EE6-4365-9ABE-4933FDB959EA\"}]}]}],\"references\":[{\"url\":\"https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Patch\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\",\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T12:46:34.702Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2020-14479\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-16T15:57:58.083822Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-16T15:58:00.592Z\"}}], \"cna\": {\"title\": \"ICSA-20-147-01 Inductive Automation Ignition (Update B)\", \"source\": {\"advisory\": \"ICSA-20-147-01\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Pedro Ribeiro, Radek Domanski, Chris Anastasio (muffin), and Steven Seeley (mr_me) working with Trend Micro\\u2019s Zero Day Initiative reported these vulnerabilities to CISA.\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Inductive Automation\", \"product\": \"Ignition 7 Gateway\", \"versions\": [{\"status\": \"affected\", \"version\": \"All\", \"lessThan\": \"7.9.14\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Inductive Automation\", \"product\": \"Ignition 8 Gateway\", \"versions\": [{\"status\": \"affected\", \"version\": \"All\", \"lessThan\": \"8.0.10\", \"versionType\": \"custom\"}]}], \"datePublic\": \"2020-07-14T00:00:00.000Z\", \"references\": [{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01\", \"tags\": [\"x_refsource_MISC\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Please note CVE-2020-14479 does not have a fix in place. Induction Automation plans to correct this vulnerability in future product versions.\\nIt is recommended to restrict interaction with the service to trusted machines. Only clients and servers with a legitimate procedural relationship should be permitted to communicate with the service. This can be done in various ways, most notably with firewall rules/allow listing.\\nFor more information regarding software and patches, please refer to the specified version in Inductive Automation\\u2019s release notes.\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2022-04-01T22:17:52.000Z\"}, \"x_legacyV4Record\": {\"credit\": [{\"lang\": \"eng\", \"value\": \"Pedro Ribeiro, Radek Domanski, Chris Anastasio (muffin), and Steven Seeley (mr_me) working with Trend Micro\\u2019s Zero Day Initiative reported these vulnerabilities to CISA.\"}], \"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, \"source\": {\"advisory\": \"ICSA-20-147-01\", \"discovery\": \"EXTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_name\": \"All\", \"version_value\": \"7.9.14\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"Ignition 7 Gateway\"}, {\"version\": {\"version_data\": [{\"version_name\": \"All\", \"version_value\": \"8.0.10\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"Ignition 8 Gateway\"}]}, \"vendor_name\": \"Inductive Automation\"}]}}, \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01\", \"name\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-306 Missing Authentication for Critical Function\"}]}]}, \"work_around\": [{\"lang\": \"en\", \"value\": \"Please note CVE-2020-14479 does not have a fix in place. Induction Automation plans to correct this vulnerability in future product versions.\\nIt is recommended to restrict interaction with the service to trusted machines. Only clients and servers with a legitimate procedural relationship should be permitted to communicate with the service. This can be done in various ways, most notably with firewall rules/allow listing.\\nFor more information regarding software and patches, please refer to the specified version in Inductive Automation\\u2019s release notes.\"}], \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2020-14479\", \"STATE\": \"PUBLIC\", \"TITLE\": \"ICSA-20-147-01 Inductive Automation Ignition (Update B)\", \"ASSIGNER\": \"ics-cert@hq.dhs.gov\", \"DATE_PUBLIC\": \"2020-07-14T17:00:00.000Z\"}}}}",
"cveMetadata": "{\"cveId\": \"CVE-2020-14479\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-16T16:32:19.854Z\", \"dateReserved\": \"2020-06-19T00:00:00.000Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2022-04-01T22:17:52.198Z\", \"assignerShortName\": \"icscert\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…