VDE-2020-031
Vulnerability from csaf_endresshauserag - Published: 2020-10-27 13:10 - Updated: 2025-05-14 13:00Summary
Endress+Hauser: Multiple products prone to WIBU CodeMeter vulnerabilities
Notes
Summary: For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html and the aforementioned CVE-IDs.
Impact: For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html external link and the aforementioned CVE-IDs.
Mitigation: Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.
Remedation: WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support
Multiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.
9.8 (Critical)
Vendor Fix
WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support
Mitigation
Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.
Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.
9.8 (Critical)
Vendor Fix
WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support
Mitigation
Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.
An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.
7.5 (High)
Vendor Fix
WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support
Mitigation
Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.
This vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.
7.5 (High)
Vendor Fix
WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support
Mitigation
Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.
CodeMeter (All versions prior to 6.81) and the software using it may crash while processing a specifically crafted license file due to unverified length fields.
7.5 (High)
Vendor Fix
WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support
Mitigation
Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.
CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.
7.5 (High)
Vendor Fix
WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support
Mitigation
Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.
References
Acknowledgments
Claroty
Sharon Brizinov
Tal Keren
CERT@VDE
CISA
BSI
{
"document": {
"acknowledgments": [
{
"names": [
"Sharon Brizinov",
"Tal Keren"
],
"organization": "Claroty",
"summary": "reported"
},
{
"organization": "CERT@VDE",
"summary": "coordination"
},
{
"organization": "CISA",
"summary": "coordination"
},
{
"organization": "BSI",
"summary": "coordination"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html and the aforementioned CVE-IDs.",
"title": "Summary"
},
{
"category": "description",
"text": "For further Information please refer to WIBU Advisories directly at https://wibu.com/support/security-advisories.html external link and the aforementioned CVE-IDs.",
"title": "Impact"
},
{
"category": "description",
"text": "Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.",
"title": "Mitigation"
},
{
"category": "description",
"text": "WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support",
"title": "Remedation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@endress.com",
"name": "Endress+Hauser AG",
"namespace": "https://www.endress.com"
},
"references": [
{
"category": "self",
"summary": "VDE-2020-031: Endress+Hauser: Multiple products prone to WIBU CodeMeter vulnerabilities - HTML",
"url": "https://certvde.com/de/advisories/VDE-2020-031/"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Endress+Hauser AG",
"url": "https://certvde.com/de/advisories/vendor/endress+hauser/"
},
{
"category": "self",
"summary": "VDE-2020-031: Endress+Hauser: Multiple products prone to WIBU CodeMeter vulnerabilities - CSAF",
"url": "https://endress-hauser.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-031.json"
}
],
"title": "Endress+Hauser: Multiple products prone to WIBU CodeMeter vulnerabilities",
"tracking": {
"aliases": [
"VDE-2020-031"
],
"current_release_date": "2025-05-14T13:00:14.000Z",
"generator": {
"date": "2025-04-11T08:10:32.428Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.23"
}
},
"id": "VDE-2020-031",
"initial_release_date": "2020-10-27T13:10:00.000Z",
"revision_history": [
{
"date": "2020-10-27T13:10:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2024-11-06T11:27:01.000Z",
"number": "2",
"summary": "Fix: added self-reference"
},
{
"date": "2025-04-11T07:00:00.000Z",
"number": "3",
"summary": "Fix: version range, remove Issuing authority"
},
{
"date": "2025-05-14T13:00:14.000Z",
"number": "4",
"summary": "Fix: added distribution"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "1.02\u003c=1.07",
"product": {
"name": "Software DeviceCare 1.02\u003c=1.07",
"product_id": "CSAFPID-51001",
"product_identification_helper": {
"model_numbers": [
"SFE 100"
]
}
}
}
],
"category": "product_name",
"name": "DeviceCare"
},
{
"branches": [
{
"category": "product_version",
"name": "2.15.00",
"product": {
"name": "Software FieldCare 2.15.00",
"product_id": "CSAFPID-51002",
"product_identification_helper": {
"model_numbers": [
"SFE 500"
]
}
}
}
],
"category": "product_name",
"name": "FieldCare"
},
{
"branches": [
{
"category": "product_version_range",
"name": "1.4.0\u003c=1.5.1",
"product": {
"name": "Software Field Data Manager 1.4.0\u003c=1.5.1",
"product_id": "CSAFPID-51003",
"product_identification_helper": {
"model_numbers": [
"MS20",
"MS21"
]
}
}
}
],
"category": "product_name",
"name": "Field Data Manager"
},
{
"branches": [
{
"category": "product_version_range",
"name": "1.03\u003c=1.05",
"product": {
"name": "Software FieldXpert 1.03\u003c=1.05",
"product_id": "CSAFPID-51004",
"product_identification_helper": {
"model_numbers": [
"SMT70",
"SMT77"
]
}
}
}
],
"category": "product_name",
"name": "FieldXpert"
},
{
"branches": [
{
"category": "product_version",
"name": "1.2.0",
"product": {
"name": "Software OPC UA Connectivity Server 1.2.0",
"product_id": "CSAFPID-51005"
}
}
],
"category": "product_name",
"name": "OPC UA Connectivity Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "3.0\u003c=3.3",
"product": {
"name": "Software SupplyCare Enterprise 3.0\u003c=3.3",
"product_id": "CSAFPID-51006",
"product_identification_helper": {
"model_numbers": [
"SCE30B",
"SCE31B",
"SCE32B"
]
}
}
}
],
"category": "product_name",
"name": "SupplyCare Enterprise"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Endress+Hauser"
},
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=7.10.",
"product": {
"name": "Software Codemeter \u003c=7.10.",
"product_id": "CSAFPID-51007"
}
},
{
"category": "product_version",
"name": "7.10a",
"product": {
"name": "Software Codemeter 7.10a",
"product_id": "CSAFPID-52008"
}
}
],
"category": "product_name",
"name": "Codemeter"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Wibu-Systems"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "external_component_of",
"full_product_name": {
"name": "Software DeviceCare 1.02\u003c=1.07 external component of Software Codemeter \u003c=7.10.",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-51001",
"relates_to_product_reference": "CSAFPID-51007"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software FieldCare 2.15.00 external component of Software Codemeter \u003c=7.10.",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-51002",
"relates_to_product_reference": "CSAFPID-51007"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software Field Data Manager 1.4.0\u003c=1.5.1 external component of Software Codemeter \u003c=7.10.",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-51003",
"relates_to_product_reference": "CSAFPID-51007"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software FieldXpert 1.03\u003c=1.05 external component of Software Codemeter \u003c=7.10.",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-51004",
"relates_to_product_reference": "CSAFPID-51007"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software OPC UA Connectivity Server 1.2.0 external component of Software Codemeter \u003c=7.10.",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-51005",
"relates_to_product_reference": "CSAFPID-51007"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software SupplyCare Enterprise 3.0\u003c=3.3 external component of Software Codemeter \u003c=7.10.",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-51006",
"relates_to_product_reference": "CSAFPID-51007"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software DeviceCare 1.02\u003c=1.07 external component of Software Codemeter 7.10a",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-51001",
"relates_to_product_reference": "CSAFPID-52008"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software FieldCare 2.15.00 external component of Software Codemeter 7.10a",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-51002",
"relates_to_product_reference": "CSAFPID-52008"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software Field Data Manager 1.4.0\u003c=1.5.1 external component of Software Codemeter 7.10a",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-51003",
"relates_to_product_reference": "CSAFPID-52008"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software FieldXpert 1.03\u003c=1.05 external component of Software Codemeter 7.10a",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-51004",
"relates_to_product_reference": "CSAFPID-52008"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software OPC UA Connectivity Server 1.2.0 external component of Software Codemeter 7.10a",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-51005",
"relates_to_product_reference": "CSAFPID-52008"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Software SupplyCare Enterprise 3.0\u003c=3.3 external component of Software Codemeter 7.10a",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-51006",
"relates_to_product_reference": "CSAFPID-52008"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14509",
"cwe": {
"id": "CWE-805",
"name": "Buffer Access with Incorrect Length Value"
},
"notes": [
{
"category": "description",
"text": "\nMultiple memory corruption vulnerabilities exist in CodeMeter (All versions prior to 7.10) where the packet parser mechanism does not verify length fields. An attacker could send specially crafted packets to exploit these vulnerabilities.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support ",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2020-14509"
},
{
"cve": "CVE-2020-14517",
"cwe": {
"id": "CWE-326",
"name": "Inadequate Encryption Strength"
},
"notes": [
{
"category": "description",
"text": "Protocol encryption can be easily broken for CodeMeter (All versions prior to 6.90 are affected, including Version 6.90 or newer only if CodeMeter Runtime is running as server) and the server accepts external connections, which may allow an attacker to remotely communicate with the CodeMeter API.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support ",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2020-14517"
},
{
"cve": "CVE-2020-16233",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "description",
"text": "An attacker could send a specially crafted packet that could have CodeMeter (All versions prior to 7.10) send back packets containing data from the heap.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support ",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2020-16233"
},
{
"cve": "CVE-2020-14519",
"cwe": {
"id": "CWE-346",
"name": "Origin Validation Error"
},
"notes": [
{
"category": "description",
"text": "\nThis vulnerability allows an attacker to use the internal WebSockets API for CodeMeter (All versions prior to 7.00 are affected, including Version 7.0 or newer with the affected WebSockets API still enabled. This is especially relevant for systems or devices where a web browser is used to access a web server) via a specifically crafted Java Script payload, which may allow alteration or creation of license files for when combined with CVE-2020-14515.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support ",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2020-14519"
},
{
"cve": "CVE-2020-14513",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "CodeMeter (All versions prior to 6.81) and the software using it may crash while processing a specifically crafted license file due to unverified length fields.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support ",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2020-14513"
},
{
"cve": "CVE-2020-14515",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"notes": [
{
"category": "description",
"text": "CodeMeter (All versions prior to 6.90 when using CmActLicense update files with CmActLicense Firm Code) has an issue in the license-file signature checking mechanism, which allows attackers to build arbitrary license files, including forging a valid license file as if it were a valid license file of an existing vendor. Only CmActLicense update files with CmActLicense Firm Code are affected.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "WIBU SYSTEMS has released a new Code Meter Runtime version 7.10a dated on 16.9.2020. All the known vulnerabilities are fixed with this version. The version is available at https://www.wibu.com/support ",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"details": "Most vulnerabilities have already been fixed in the current Code Meter versions 7.10. Use of this version requires additional mitigation measures to fix all CVEs. For detailed information please refer to WIBU SYSTEMS original Advisories at https://wibu.com/support/security-advisories.html.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2020-14515"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…