Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
3.6
CVSSv2

CVE-2020-15858

Published: 21/08/2020 Updated: 24/04/2023
CVSS v2 Base Score: 3.6 | Impact Score: 4.9 | Exploitability Score: 3.9
CVSS v3 Base Score: 6.4 | Impact Score: 5.5 | Exploitability Score: 0.9
VMScore: 320
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N
Subscribe to Thalesgroup

Vulnerability Summary

Some devices of Thales DIS (formerly Gemalto, formerly Cinterion) allow Directory Traversal by physically proximate attackers. The directory path access check of the internal flash file system can be circumvented. This flash file system can store application-specific data and data needed for customer Java applications, TLS and OTAP (Java over-the-air-provisioning) functionality. The affected products and releases are: BGS5 up to and including SW RN 02.000 / ARN 01.001.06 EHSx and PDSx up to and including SW RN 04.003 / ARN 01.000.04 ELS61 up to and including SW RN 02.002 / ARN 01.000.04 ELS81 up to and including SW RN 05.002 / ARN 01.000.04 PLS62 up to and including SW RN 02.000 / ARN 01.000.04

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

thalesgroup bgs5_firmware

thalesgroup ehs5_firmware

thalesgroup ehs8_firmware

thalesgroup ehs6_firmware

thalesgroup pds5_firmware

thalesgroup pds6_firmware

thalesgroup els61_firmware

thalesgroup els81_firmware

thalesgroup pls62_firmware

Recent Articles

Sloppy string sanitization sabotages system security of millions of Java-powered 3G IoT kit: Patch me if you can
The Register • Thomas Claburn in San Francisco • 20 Aug 2020

IBM's X-Force Red X-reveals X-flaw in Thales X-wireless X-module X-thing The Internet of Things is a security nightmare, latest real-world analysis reveals: Unencrypted traffic, network crossover, vulnerable OSes

A vulnerability in Thales' Cinterion EHS8 M2M module, a Java-powered embedded 3G system used in millions of Internet-of-Things devices for connectivity, was revealed yesterday by IBM's X-Force Red. The bug (CVE-2020-15858), disclosed to Thales and addressed in a patch made available to IoT vendors in February, makes it possible for an attacker to, for instance, extract the code and other resources from a vulnerable device. This information could be reverse-engineered to find vulnerabilities to e...

Read more...

References

CWE-22https://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/resources/security-updates-cinterion-iot-moduleshttp://seclists.org/fulldisclosure/2023/Apr/11http://packetstormsecurity.com/files/171978/Telit-Cinterion-IoT-Traversal-Escalation-Bypass-Heap-Overflow.htmlhttps://nvd.nist.govhttps://www.theregister.co.uk/2020/08/20/sloppy_string_sanitization_opened_javabased/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3581reflected XSSCVE-2024-26925CVE-2024-27956LFICVE-2024-3607CVE-2024-3107CVE-2024-3295SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook