CVE-2020-6653

Eaton's Secure connect mobile app v1.7.3 & prior stores the user login credentials in logcat file when user create or register the account on the Mobile app. A malicious app or unauthorized user can harvest the information and later on can use the information to monitor and control the user's account and associated devices.

CVSS v3 3.8 LOW
CVSS v2.0 2.1 LOW

3.8^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.2 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-vulnerability-advisory-secure-connect-mobile-app.pdf	Vendor Advisory
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-vulnerability-advisory-secure-connect-mobile-app.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:eaton:secureconnect:*:*:*:*:*:android:*:*

History

21 Nov 2024, 05:36

Type	Values Removed	Values Added
CVSS	v2 : ~~2.1~~ v3 : ~~3.9~~	v2 : 2.1 v3 : 3.8
References	~~() https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-vulnerability-advisory-secure-connect-mobile-app.pdf - Vendor Advisory~~	() https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-vulnerability-advisory-secure-connect-mobile-app.pdf - Vendor Advisory

Information

Published : 2020-08-12 17:15

Updated : 2024-11-21 05:36

NVD link : CVE-2020-6653

Mitre link : CVE-2020-6653

CVE.ORG link : CVE-2020-6653

JSON object : View

Products Affected

eaton

secureconnect

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2020-6653", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "CybersecurityCOE@eaton.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.3}]}, "published": "2020-08-12T17:15:12.740", "references": [{"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-vulnerability-advisory-secure-connect-mobile-app.pdf", "tags": ["Vendor Advisory"], "source": "CybersecurityCOE@eaton.com"}, {"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-vulnerability-advisory-secure-connect-mobile-app.pdf", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "CybersecurityCOE@eaton.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-532"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Eaton's Secure connect mobile app v1.7.3 & prior stores the user login credentials in logcat file when user create or register the account on the Mobile app. A malicious app or unauthorized user can harvest the information and later on can use the information to monitor and control the user's account and associated devices."}, {"lang": "es", "value": "La aplicaci\u00f3n m\u00f3vil Secure Connect de Eaton versi\u00f3n v1.7.3 y anteriores, almacena las credenciales de inicio de sesi\u00f3n del usuario en el archivo logcat cuando el usuario crea o registra la cuenta en la aplicaci\u00f3n M\u00f3vil. Una aplicaci\u00f3n maliciosa o un usuario no autorizado pueden recopilar la informaci\u00f3n y, posteriormente, usar la informaci\u00f3n para supervisar y controlar la cuenta del usuario y los dispositivos asociados"}], "lastModified": "2024-11-21T05:36:06.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eaton:secureconnect:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "EF642703-335C-4ACB-B1EA-E0107D3B28EA", "versionEndIncluding": "1.7.3"}], "operator": "OR"}]}], "sourceIdentifier": "CybersecurityCOE@eaton.com"}