CVE-2020-24683
22.12.2020, 22:15
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.Enginsight
| Vendor | Product | Version |
|---|---|---|
| abb | symphony_\+_historian | 3.0 |
| abb | symphony_\+_historian | 3.1 |
| abb | symphony_\+_operations | 1.1 |
| abb | symphony_\+_operations | 2.0 |
| abb | symphony_\+_operations | 2.1:sp1 |
| abb | symphony_\+_operations | 2.1:sp2 |
| abb | symphony_\+_operations | 3.0 |
| abb | symphony_\+_operations | 3.1 |
| abb | symphony_\+_operations | 3.2 |
| abb | symphony_\+_operations | 3.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-305 - Authentication Bypass by Primary WeaknessThe authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
- CWE-669 - Incorrect Resource Transfer Between SpheresThe product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.