CVE-2020-14521
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD
Description
Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition.
Affected (46)
Products: Mitsubishielectric: C Controller Interface Module Utility, C Controller Module Setting And Monitoring Tool, Cc Link Ie Control Network Data Collector, Cc Link Ie Field Network Data Collector, Cc Link Ie Tsn Data Collector, Cpu Module Logging Configuration Tool, Cw Configurator, Data Transfer, Ezsocket, Fr Configurator2, Fr Configurator Sw3, Gt Designer2 Classic, Gt Softgot1000, Gt Softgot2000, Gx Developer, Gx Logviewer, Gx Works2, Gx Works3, M Commdtm Io Link, Melfa Works, Melsec Wincpu Setting Utility, Melsoft Complete Clean Up Tool, Melsoft Em Software Development Kit, Melsoft Iq Appportal, Melsoft Navigator, Mi Configurator, Motion Control Setting, Motorizer, Mr Configurator2, Mt Works2, Mtconnect Data Collector, Mx Component, Mx Mesinterface, Mx Mesinterface R, Mx Sheet, Position Board Utility 2, Px Developer, Rt Toolbox2, Rt Toolbox3, Setting/monitoring Tools For The C Controller Module, Slmp Data Collector, Gt Designer3, Network Interface Board Cc Link Ver.2 Utility Firmware, Network Interface Board Cc Ie Control Utility Firmware, Network Interface Board Cc Ie Field Utility Firmware, Network Interface Board Mneth Utility Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| All versions | |
| All versions | |
| Version 1.00a | |
| Version 1.00a | |
| Version 1.00a | |
| Up to 1.100e | |
| Up to 1.010l | |
| Up to 3.42u | |
| Up to 5.1 | |
| All versions | |
| All versions | |
| All versions | |
| From 3.0 to 3.200j | |
| From 1.0 to 1.241b | |
| Up to 8.504a | |
| Up to 1.100e | |
| Up to 1.601b | |
| Up to 1.063r | |
| All versions | |
| Up to 4.4 | |
| All versions | |
| Up to 1.06g | |
| All versions | |
| Up to 1.17t | |
| Up to 2.74c | |
| All versions | |
| Up to 1.005f | |
| Up to 1.005f | |
| Up to 1.125f | |
| Up to 1.167z | |
| Up to 1.1.4.0 | |
| Up to 4.20w | |
| Up to 1.21x | |
| Up to 1.12n | |
| Up to 2.15r | |
| All versions | |
| Up to 1.53f | |
| Up to 3.73b | |
| Up to 1.82l | |
| All versions | |
| Up to 1.04e |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 1.241b |
| Running on/with | Platform Versions |
|---|---|
Mitsubishielectric Got1000 Series Gt10 | All versions |
Mitsubishielectric Got1000 Series Gt11 | All versions |
Mitsubishielectric Got1000 Series Gt12 | All versions |
Mitsubishielectric Got1000 Series Gt14 | All versions |
Mitsubishielectric Got1000 Series Gt15 | All versions |
Mitsubishielectric Got1000 Series Gt16 | All versions |
Mitsubishielectric Got1000 Series Gt21 | All versions |
Mitsubishielectric Got1000 Series Gt23 | All versions |
Mitsubishielectric Got1000 Series Gt25 | All versions |
Mitsubishielectric Got1000 Series Gt27 | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Mitsubishielectric Network Interface Board Cc Link Ver.2 Utility | All versions |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Mitsubishielectric Network Interface Board Cc Ie Control Utility | All versions |
Configuration E
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Mitsubishielectric Network Interface Board Cc Ie Field Utility | All versions |
Configuration F
| Vulnerable Software | Affected Versions |
|---|---|
| All versions |
| Running on/with | Platform Versions |
|---|---|
Mitsubishielectric Network Interface Board Mneth Utility | All versions |
Related CWEs
CWE-276
Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
CWE-428
Unquoted Search Path or Element
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
References (4)
Source: ics-cert@hq.dhs.gov
Third Party AdvisoryUS Government Resource
Source: ics-cert@hq.dhs.gov
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryUS Government Resource
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.