CVE-2020-27220

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-27220

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-27220.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-27220

Published

2021-01-14T23:15:13Z

Modified

2025-01-08T07:19:23.367242Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The Eclipse Hono AMQP and MQTT protocol adapters do not check whether an authenticated gateway device is authorized to receive command & control messages when it has subscribed only to commands for a specific device. The missing check involves verifying that the command target device is configured giving permission for the gateway device to act on its behalf. This means an authenticated device of a certain tenant, notably also a non-gateway device acting like a gateway, may receive command & control messages targeted at a different device of the same tenant without corresponding permissions getting checked.

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=569856

Affected packages

Git / github.com/eclipse/hono

Affected ranges

Type: GIT
Repo: https://github.com/eclipse/hono
Events: Introduced

2f415ce12c92c23aac42ac92d4652550e0b7f252

Last affected

6849cfeb2a63b3c966d3483cc6f02fb6916d4f9e

Last affected

f951786d15e03a8d1f94fd2ea5454b18e53eb104

Affected versions

1.*

1.4.0

1.4.3

1.4.4

1.5.0