Potential vulnerabilities have been identified with certain versions of HP Device Manager. These vulnerabilities may allow locally managed accounts within HP Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain SYSTEM privileges (CVE-2020-6927). CVE-2020-6925 does not impact customers who are using Active Directory authenticated accounts. CVE-2020-6927 does not impact customers who are using an external database (Microsoft SQL Server) and have not installed the integrated Postgres service.
VULNERABILITY SUMMARY
CVE ID
|
Potential Vulnerability
|
Impacted Version
|
CVE-2020-6925
|
Weak Cipher
|
All versions of HP Device Manager
|
CVE-2020-6926
|
Remote Method Invocation
|
All versions of HP Device Manager
|
CVE-2020-6927
|
Elevation of Privilege
|
HP Device Manager 5.0.0
HP Device Manager 5.0.1
HP Device Manager 5.0.2
HP Device Manager 5.0.3
|
Reference
|
Base Vector
|
Base Score
|
CVE-2020-6925
|
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
7.0
|
CVE-2020-6926
|
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
9.9
|
CVE-2020-6927
|
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
|
8.0
|
Product
|
Updated
|
HP Device Manager 5.0
| |
HP Device Manager 4.7
|
PI
|
HP Printing and Imaging
|
HF
|
HP Hardware and Firmware
|
GN
|
HP General Software
|