CVE-2020-12037

Published: Jun 29, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The affected devices do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device.

Affected (2)

Products: Baxter: Prismaflex Firmware, Prismax Firmware

2 products

Prismaflex Firmware

Prismax Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Baxter Prismaflex Firmware	All versions

Running on/with	Platform Versions
Baxter Prismaflex	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Baxter Prismax Firmware	Before 3.0

Running on/with	Platform Versions
Baxter Prismax	All versions

Related CWEs

Use of Hard-coded Password

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (3)

https://www.us-cert.gov/ics/advisories/icsma-20-170-01

Source: ics-cert@hq.dhs.gov

Not Applicable

https://us-cert.cisa.gov/ics/advisories/icsma-20-170-02

Source: nvd@nist.gov

Third Party Advisory

https://www.us-cert.gov/ics/advisories/icsma-20-170-01

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

Timeline

No history available yet.