Vulnerability-Lookup

GHSA-PMQF-HCFV-43RC

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47

Details

In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-20992"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-19T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.",
  "id": "GHSA-pmqf-hcfv-43rc",
  "modified": "2022-05-24T17:47:47Z",
  "published": "2022-05-24T17:47:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20992"
    },
    {
      "type": "WEB",
      "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-20992 (GCVE-0-2021-20992)

Vulnerability from cvelistv5 – Published: 2021-04-19 14:05 – Updated: 2024-09-17 02:36

Title

Fibaro Home Center Unencrypted management interface

Summary

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Assigner

CERTVDE

References

URL

Tags

	https://www.iot-inspector.com/blog/advisory-fibar…	x_refsource_CONFIRM
	http://seclists.org/fulldisclosure/2021/Apr/27	mailing-listx_refsource_FULLDISC
	http://packetstormsecurity.com/files/162243/Fibar…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Fibar Group S.A	Fibaro Home Center	Affected: Home Center 2 all Affected: Home Center Lite all

Date Public ?

2021-04-15 00:00

Credits

Marton Illes IoT Inspector Research Lab https://www.iot-inspector.com

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:53:23.114Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
          },
          {
            "name": "20210419 [CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992] Multiple vulnerabilities in Fibaro Home Center",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Fibaro Home Center",
          "vendor": "Fibar Group S.A",
          "versions": [
            {
              "status": "affected",
              "version": "Home Center 2 all"
            },
            {
              "status": "affected",
              "version": "Home Center Lite all"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Marton Illes IoT Inspector Research Lab https://www.iot-inspector.com"
        }
      ],
      "datePublic": "2021-04-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319 Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-20T17:06:19.000Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
        },
        {
          "name": "20210419 [CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992] Multiple vulnerabilities in Fibaro Home Center",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Fibaro Home Center Unencrypted management interface",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "info@cert.vde.com",
          "DATE_PUBLIC": "2021-04-15T10:00:00.000Z",
          "ID": "CVE-2021-20992",
          "STATE": "PUBLIC",
          "TITLE": "Fibaro Home Center Unencrypted management interface"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Fibaro Home Center",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_name": "Home Center 2",
                            "version_value": "all"
                          },
                          {
                            "version_affected": "=",
                            "version_name": "Home Center Lite",
                            "version_value": "all"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Fibar Group S.A"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Marton Illes IoT Inspector Research Lab https://www.iot-inspector.com"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-319 Cleartext Transmission of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/",
              "refsource": "CONFIRM",
              "url": "https://www.iot-inspector.com/blog/advisory-fibaro-home-center/"
            },
            {
              "name": "20210419 [CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992] Multiple vulnerabilities in Fibaro Home Center",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2021/Apr/27"
            },
            {
              "name": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/162243/Fibaro-Home-Center-MITM-Missing-Authentication-Code-Execution.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2021-20992",
    "datePublished": "2021-04-19T14:05:02.730Z",
    "dateReserved": "2020-12-17T00:00:00.000Z",
    "dateUpdated": "2024-09-17T02:36:30.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-PMQF-HCFV-43RC

CVE-2021-20992 (GCVE-0-2021-20992)

Tags

Sightings

Nomenclature