A security issue was found in UniFi Protect controller v1.14.10 and earlier.The authentication in the UniFi Protect controller API was using “x-token” improperly, allowing attackers to use the API to send authenticated messages without a valid token.This vulnerability was fixed in UniFi Protect v1.14.11 and newer.This issue does not impact UniFi Cloud Key Gen 2 plus.This issue does not impact UDM-Pro customers with UniFi Protect stopped.Affected Products:UDM-Pro firmware 1.7.2 and earlier.UNVR firmware 1.3.12 and earlier.Mitigation:Update UniFi Protect to v1.14.11 or newer version; the UniFi Protect controller can be updated through your UniFi OS settings.Alternatively, you can update UNVR and UDM-Pro to:- UNVR firmware to 1.3.15 or newer.- UDM-Pro firmware to 1.8.0 or newer.
References
Link | Resource |
---|---|
https://community.ui.com/releases/UniFi-Dream-Machine-Firmware-1-8-0/deabc255-a081-49ba-8f51-131f3a13000a | Patch Vendor Advisory |
https://community.ui.com/releases/UniFi-Protect-1-14-11/928e6fac-afeb-49c2-93a5-1b3066bf2bbf | Release Notes Vendor Advisory |
https://community.ui.com/releases/UniFi-Protect-NVR-Firmware-1-3-15/c2a783a6-c996-43d9-ab95-8c97ae05a98f | Patch Vendor Advisory |
https://community.ui.com/releases/UniFi-Dream-Machine-Firmware-1-8-0/deabc255-a081-49ba-8f51-131f3a13000a | Patch Vendor Advisory |
https://community.ui.com/releases/UniFi-Protect-1-14-11/928e6fac-afeb-49c2-93a5-1b3066bf2bbf | Release Notes Vendor Advisory |
https://community.ui.com/releases/UniFi-Protect-NVR-Firmware-1-3-15/c2a783a6-c996-43d9-ab95-8c97ae05a98f | Patch Vendor Advisory |
Configurations
History
21 Nov 2024, 05:38
Type | Values Removed | Values Added |
---|---|---|
References | () https://community.ui.com/releases/UniFi-Dream-Machine-Firmware-1-8-0/deabc255-a081-49ba-8f51-131f3a13000a - Patch, Vendor Advisory | |
References | () https://community.ui.com/releases/UniFi-Protect-1-14-11/928e6fac-afeb-49c2-93a5-1b3066bf2bbf - Release Notes, Vendor Advisory | |
References | () https://community.ui.com/releases/UniFi-Protect-NVR-Firmware-1-3-15/c2a783a6-c996-43d9-ab95-8c97ae05a98f - Patch, Vendor Advisory |
Information
Published : 2020-11-05 19:15
Updated : 2024-11-21 05:38
NVD link : CVE-2020-8267
Mitre link : CVE-2020-8267
CVE.ORG link : CVE-2020-8267
JSON object : View
Products Affected
ui
- unifi_protect_firmware
CWE
CWE-287
Improper Authentication