CVE-2020-12036

Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The affected devices do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.us-cert.gov/ics/advisories/icsma-20-170-01	Not Applicable
https://www.us-cert.gov/ics/advisories/icsma-20-170-01	Not Applicable

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:baxter:prismaflex_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:baxter:prismaflex:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:baxter:prismax_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:baxter:prismax:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:59

Type	Values Removed	Values Added
References	~~() https://www.us-cert.gov/ics/advisories/icsma-20-170-01 - Not Applicable~~	() https://www.us-cert.gov/ics/advisories/icsma-20-170-01 - Not Applicable

Information

Published : 2020-06-29 14:15

Updated : 2024-11-21 04:59

NVD link : CVE-2020-12036

Mitre link : CVE-2020-12036

CVE.ORG link : CVE-2020-12036

JSON object : View

Products Affected

baxter

prismaflex_firmware
prismax_firmware
prismax
prismaflex

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2020-12036", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-06-29T14:15:11.460", "references": [{"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-01", "tags": ["Not Applicable"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-01", "tags": ["Not Applicable"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-319"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The affected devices do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device."}, {"lang": "es", "value": "Baxter PrismaFlex todas las versiones, PrisMax todas las versiones anteriores a 3.x, los dispositivos afectados no implementan cifrado de datos en tr\u00e1nsito (por ejemplo, TLS/SSL) cuando se configuran para enviar datos de tratamiento a un PDMS (Patient Data Management System) o un sistema EMR (Electronic Medical Record). Un atacante podr\u00eda observar datos confidenciales enviados desde el dispositivo"}], "lastModified": "2024-11-21T04:59:09.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:baxter:prismaflex_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8874804-02E2-4E74-94C6-F103DCDC854E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:baxter:prismaflex:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8E5DB2B2-5D9E-494B-A860-FE2F4BC4C767"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:baxter:prismax_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F197DAD-63A3-4598-BBFC-0014707B3A01", "versionEndExcluding": "3.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:baxter:prismax:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A5EB1A30-A514-437D-B976-451CF003955D"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}