fkie_cve-2020-16098
Vulnerability from fkie_nvd
Published
2020-09-15 14:15
Modified
2024-11-21 05:06
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
It is possible to enumerate access card credentials via an unauthenticated network connection to the server in versions of Command Centre v8.20 prior to v8.20.1166(MR3), versions of 8.10 prior to v8.10.1211(MR5), versions of 8.00 prior to v8.00.1228(MR6), all versions of 7.90 and earlier. These credentials can then be used to encode low security cards to be used by the system where insecure card technologies are supported.
References
disclosures@gallagher.comhttps://security.gallagher.com/Security-Advisories/CVE-2020-16098Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.gallagher.com/Security-Advisories/CVE-2020-16098Vendor Advisory
Impacted products
Vendor Product Version
gallagher command_centre *
gallagher command_centre *
gallagher command_centre *
gallagher command_centre *
gallagher command_centre 8.00.1228
gallagher command_centre 8.10.1211
gallagher command_centre 8.20.1166
gallagher command_centre 8.30.1236


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8AF24E0D-FEF8-4814-A689-50869362C70A",
              "versionEndExcluding": "8.00.1228",
              "versionStartIncluding": "8.00",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "55BB8603-0AAE-49A3-B127-374F24C498DE",
              "versionEndExcluding": "8.10.1211",
              "versionStartIncluding": "8.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DE7DBECA-3C79-4346-AB66-B7538B230FE7",
              "versionEndExcluding": "8.20.1166",
              "versionStartIncluding": "8.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0DEE3F1-6EE3-4D31-BDF2-648F45C0EC20",
              "versionEndExcluding": "8.30.1236",
              "versionStartIncluding": "8.30",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gallagher:command_centre:8.00.1228:-:*:*:*:*:*:*",
              "matchCriteriaId": "B5A79B43-E943-44E2-B13A-64F955518C8F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gallagher:command_centre:8.10.1211:-:*:*:*:*:*:*",
              "matchCriteriaId": "E672F2DB-6C4D-4549-977C-F4EDBCC461E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gallagher:command_centre:8.20.1166:-:*:*:*:*:*:*",
              "matchCriteriaId": "3DACA47B-78DA-4ED5-A15B-04556FA11865",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gallagher:command_centre:8.30.1236:-:*:*:*:*:*:*",
              "matchCriteriaId": "34322F73-2AEF-4920-96DD-B138125A0660",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It is possible to enumerate access card credentials via an unauthenticated network connection to the server in versions of Command Centre v8.20 prior to v8.20.1166(MR3), versions of 8.10 prior to v8.10.1211(MR5), versions of 8.00 prior to v8.00.1228(MR6), all versions of 7.90 and earlier. These credentials can then be used to encode low security cards to be used by the system where insecure card technologies are supported."
    },
    {
      "lang": "es",
      "value": "Es posible enumerar las credenciales de la tarjeta de acceso por medio de una conexi\u00f3n de red no autenticada en el servidor en Command Center versiones v8.20 anteriores a v8.20.1166(MR3), versiones de 8.10 anteriores a v8.10.1211(MR5), versiones de 8.00 anteriores a v8.00.1228(MR6), todas las versiones de 7.90 y anteriores.\u0026#xa0;Estas credenciales pueden ser usadas para codificar tarjetas de poca seguridad que puedan ser usadas por el sistema donde son admitidas tecnolog\u00edas de tarjetas no seguras"
    }
  ],
  "id": "CVE-2020-16098",
  "lastModified": "2024-11-21T05:06:46.400",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "disclosures@gallagher.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-09-15T14:15:13.833",
  "references": [
    {
      "source": "disclosures@gallagher.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16098"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16098"
    }
  ],
  "sourceIdentifier": "disclosures@gallagher.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "disclosures@gallagher.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.