Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for URx by Universal Robots

    CVE-2020-10290 (GCVE-0-2020-10290)

    Vulnerability from nvd – Published: 2020-08-21 15:05 – Updated: 2024-09-16 19:15
    VLAI
    Title
    RVD#1495: Universal Robots URCaps execute with unbounded privileges
    Summary
    Universal Robots controller execute URCaps (zip files containing Java-powered applications) without any permission restrictions and a wide API that presents many primitives that can compromise the overall robot operations as demonstrated in our video. In our PoC we demonstrate how a malicious actor could 'cook' a custom URCap that when deployed by the user (intendedly or unintendedly) compromises the system
    CWE
    • CWE-250 - (Execution with Unnecessary Privileges)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Universal Robots URx Affected: unspecified
    Create a notification for this product.
    Date Public
    2020-08-21 00:00
    Credits
    Victor Mayoral Vilches and Unai Ayucar Carbajo (Alias Robotics)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:58:40.357Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/aliasrobotics/RVD/issues/1495"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "URx",
              "vendor": "Universal Robots",
              "versions": [
                {
                  "status": "affected",
                  "version": "unspecified"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Victor Mayoral Vilches and Unai Ayucar Carbajo (Alias Robotics)"
            }
          ],
          "datePublic": "2020-08-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Universal Robots controller execute URCaps (zip files containing Java-powered applications) without any permission restrictions and a wide API that presents many primitives that can compromise the overall robot operations as demonstrated in our video. In our PoC we demonstrate how a malicious actor could \u0027cook\u0027 a custom URCap that when deployed by the user (intendedly or unintendedly) compromises the system"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-250",
                  "description": "CWE-250 (Execution with Unnecessary Privileges)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-08-21T15:05:19.000Z",
            "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
            "shortName": "Alias"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/aliasrobotics/RVD/issues/1495"
            }
          ],
          "source": {
            "defect": [
              "RVD#1495"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "RVD#1495: Universal Robots URCaps execute with unbounded privileges",
          "x_generator": {
            "engine": "Robot Vulnerability Database (RVD)"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@aliasrobotics.com",
              "DATE_PUBLIC": "2020-08-21T15:02:38 +00:00",
              "ID": "CVE-2020-10290",
              "STATE": "PUBLIC",
              "TITLE": "RVD#1495: Universal Robots URCaps execute with unbounded privileges"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "URx",
                          "version": {
                            "version_data": [
                              {
                                "version_value": ""
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Universal Robots"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Victor Mayoral Vilches and Unai Ayucar Carbajo (Alias Robotics)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Universal Robots controller execute URCaps (zip files containing Java-powered applications) without any permission restrictions and a wide API that presents many primitives that can compromise the overall robot operations as demonstrated in our video. In our PoC we demonstrate how a malicious actor could \u0027cook\u0027 a custom URCap that when deployed by the user (intendedly or unintendedly) compromises the system"
                }
              ]
            },
            "generator": {
              "engine": "Robot Vulnerability Database (RVD)"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "medium",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-250 (Execution with Unnecessary Privileges)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/aliasrobotics/RVD/issues/1495",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/aliasrobotics/RVD/issues/1495"
                }
              ]
            },
            "source": {
              "defect": [
                "RVD#1495"
              ],
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
        "assignerShortName": "Alias",
        "cveId": "CVE-2020-10290",
        "datePublished": "2020-08-21T15:05:19.977Z",
        "dateReserved": "2020-03-10T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:15:10.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-10266 (GCVE-0-2020-10266)

    Vulnerability from nvd – Published: 2020-04-06 12:08 – Updated: 2024-09-16 23:15
    VLAI
    Title
    RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot
    Summary
    UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand.
    CWE
    • CWE-353 - (Missing Support for Integrity Check)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Universal Robots URx Affected: CB3 SW Versions 3.3 up to 3.12.1
    Create a notification for this product.
    Date Public
    2020-04-04 00:00
    Credits
    Víctor Mayoral Vilches <victor@aliasrobotics.com>, Mike Karamousadakis, Lander Usategui San Juan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:58:40.121Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/aliasrobotics/RVD/issues/1487"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "URx",
              "vendor": "Universal Robots",
              "versions": [
                {
                  "status": "affected",
                  "version": "CB3 SW Versions 3.3 up to 3.12.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "V\u00edctor Mayoral Vilches \u003cvictor@aliasrobotics.com\u003e, Mike Karamousadakis, Lander Usategui San Juan"
            }
          ],
          "datePublic": "2020-04-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-353",
                  "description": "CWE-353 (Missing Support for Integrity Check)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-04-06T12:08:40.000Z",
            "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
            "shortName": "Alias"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/aliasrobotics/RVD/issues/1487"
            }
          ],
          "source": {
            "defect": [
              "RVD#1487"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot",
          "x_generator": {
            "engine": "Robot Vulnerability Database (RVD)"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@aliasrobotics.com",
              "DATE_PUBLIC": "2020-04-04T16:53:42 +00:00",
              "ID": "CVE-2020-10266",
              "STATE": "PUBLIC",
              "TITLE": "RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "URx",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "CB3 SW Versions 3.3 up to 3.12.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Universal Robots"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "V\u00edctor Mayoral Vilches \u003cvictor@aliasrobotics.com\u003e, Mike Karamousadakis, Lander Usategui San Juan"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand."
                }
              ]
            },
            "generator": {
              "engine": "Robot Vulnerability Database (RVD)"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "high",
                "confidentialityImpact": "LOW",
                "integrityImpact": "REQUIRED",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-353 (Missing Support for Integrity Check)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/aliasrobotics/RVD/issues/1487",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/aliasrobotics/RVD/issues/1487"
                }
              ]
            },
            "source": {
              "defect": [
                "RVD#1487"
              ],
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
        "assignerShortName": "Alias",
        "cveId": "CVE-2020-10266",
        "datePublished": "2020-04-06T12:08:40.708Z",
        "dateReserved": "2020-03-10T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:15:36.851Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-10290 (GCVE-0-2020-10290)

    Vulnerability from cvelistv5 – Published: 2020-08-21 15:05 – Updated: 2024-09-16 19:15
    VLAI
    Title
    RVD#1495: Universal Robots URCaps execute with unbounded privileges
    Summary
    Universal Robots controller execute URCaps (zip files containing Java-powered applications) without any permission restrictions and a wide API that presents many primitives that can compromise the overall robot operations as demonstrated in our video. In our PoC we demonstrate how a malicious actor could 'cook' a custom URCap that when deployed by the user (intendedly or unintendedly) compromises the system
    CWE
    • CWE-250 - (Execution with Unnecessary Privileges)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Universal Robots URx Affected: unspecified
    Create a notification for this product.
    Date Public
    2020-08-21 00:00
    Credits
    Victor Mayoral Vilches and Unai Ayucar Carbajo (Alias Robotics)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:58:40.357Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/aliasrobotics/RVD/issues/1495"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "URx",
              "vendor": "Universal Robots",
              "versions": [
                {
                  "status": "affected",
                  "version": "unspecified"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Victor Mayoral Vilches and Unai Ayucar Carbajo (Alias Robotics)"
            }
          ],
          "datePublic": "2020-08-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Universal Robots controller execute URCaps (zip files containing Java-powered applications) without any permission restrictions and a wide API that presents many primitives that can compromise the overall robot operations as demonstrated in our video. In our PoC we demonstrate how a malicious actor could \u0027cook\u0027 a custom URCap that when deployed by the user (intendedly or unintendedly) compromises the system"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-250",
                  "description": "CWE-250 (Execution with Unnecessary Privileges)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-08-21T15:05:19.000Z",
            "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
            "shortName": "Alias"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/aliasrobotics/RVD/issues/1495"
            }
          ],
          "source": {
            "defect": [
              "RVD#1495"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "RVD#1495: Universal Robots URCaps execute with unbounded privileges",
          "x_generator": {
            "engine": "Robot Vulnerability Database (RVD)"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@aliasrobotics.com",
              "DATE_PUBLIC": "2020-08-21T15:02:38 +00:00",
              "ID": "CVE-2020-10290",
              "STATE": "PUBLIC",
              "TITLE": "RVD#1495: Universal Robots URCaps execute with unbounded privileges"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "URx",
                          "version": {
                            "version_data": [
                              {
                                "version_value": ""
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Universal Robots"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Victor Mayoral Vilches and Unai Ayucar Carbajo (Alias Robotics)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Universal Robots controller execute URCaps (zip files containing Java-powered applications) without any permission restrictions and a wide API that presents many primitives that can compromise the overall robot operations as demonstrated in our video. In our PoC we demonstrate how a malicious actor could \u0027cook\u0027 a custom URCap that when deployed by the user (intendedly or unintendedly) compromises the system"
                }
              ]
            },
            "generator": {
              "engine": "Robot Vulnerability Database (RVD)"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "medium",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-250 (Execution with Unnecessary Privileges)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/aliasrobotics/RVD/issues/1495",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/aliasrobotics/RVD/issues/1495"
                }
              ]
            },
            "source": {
              "defect": [
                "RVD#1495"
              ],
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
        "assignerShortName": "Alias",
        "cveId": "CVE-2020-10290",
        "datePublished": "2020-08-21T15:05:19.977Z",
        "dateReserved": "2020-03-10T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:15:10.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-10266 (GCVE-0-2020-10266)

    Vulnerability from cvelistv5 – Published: 2020-04-06 12:08 – Updated: 2024-09-16 23:15
    VLAI
    Title
    RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot
    Summary
    UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand.
    CWE
    • CWE-353 - (Missing Support for Integrity Check)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Universal Robots URx Affected: CB3 SW Versions 3.3 up to 3.12.1
    Create a notification for this product.
    Date Public
    2020-04-04 00:00
    Credits
    Víctor Mayoral Vilches <victor@aliasrobotics.com>, Mike Karamousadakis, Lander Usategui San Juan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:58:40.121Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/aliasrobotics/RVD/issues/1487"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "URx",
              "vendor": "Universal Robots",
              "versions": [
                {
                  "status": "affected",
                  "version": "CB3 SW Versions 3.3 up to 3.12.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "V\u00edctor Mayoral Vilches \u003cvictor@aliasrobotics.com\u003e, Mike Karamousadakis, Lander Usategui San Juan"
            }
          ],
          "datePublic": "2020-04-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-353",
                  "description": "CWE-353 (Missing Support for Integrity Check)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-04-06T12:08:40.000Z",
            "orgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
            "shortName": "Alias"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/aliasrobotics/RVD/issues/1487"
            }
          ],
          "source": {
            "defect": [
              "RVD#1487"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot",
          "x_generator": {
            "engine": "Robot Vulnerability Database (RVD)"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@aliasrobotics.com",
              "DATE_PUBLIC": "2020-04-04T16:53:42 +00:00",
              "ID": "CVE-2020-10266",
              "STATE": "PUBLIC",
              "TITLE": "RVD#1487: No integrity checks on UR+ platform artifacts when installed in the robot"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "URx",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "CB3 SW Versions 3.3 up to 3.12.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Universal Robots"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "V\u00edctor Mayoral Vilches \u003cvictor@aliasrobotics.com\u003e, Mike Karamousadakis, Lander Usategui San Juan"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "UR+ (Universal Robots+) is a platform of hardware and software component sellers, for Universal Robots robots. When installing any of these components in the robots (e.g. in the UR10), no integrity checks are performed. Moreover, the SDK for making such components can be easily obtained from Universal Robots. An attacker could exploit this flaw by crafting a custom component with the SDK, performing Person-In-The-Middle attacks (PITM) and shipping the maliciously-crafted component on demand."
                }
              ]
            },
            "generator": {
              "engine": "Robot Vulnerability Database (RVD)"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "high",
                "confidentialityImpact": "LOW",
                "integrityImpact": "REQUIRED",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-353 (Missing Support for Integrity Check)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/aliasrobotics/RVD/issues/1487",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/aliasrobotics/RVD/issues/1487"
                }
              ]
            },
            "source": {
              "defect": [
                "RVD#1487"
              ],
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dc524f69-879d-41dc-ab8f-724e78658a1a",
        "assignerShortName": "Alias",
        "cveId": "CVE-2020-10266",
        "datePublished": "2020-04-06T12:08:40.708Z",
        "dateReserved": "2020-03-10T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:15:36.851Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }